[css-color][filter-effects] (was: Re: [filter-effects] Tainted filter primitives)

+CC www-style because of color discussion

On Dec 11, 2013, at 4:34 AM, Robert O'Callahan <robert@ocallahan.org> wrote:

> http://dev.w3.org/fxtf/filters/#security
> For feFlood, feDropShadow, feDiffuseLighting and feSpecularLighting, I don't think these should be tainted --- currentColor isn't used very often. In Gecko (and I think other engines), we make getComputedStyle on 'color' return the value the 'color' property would have if all links are unvisited. So I think we can use that here, and specify that for filter primitive elements, currentColor evaluates to the value of the 'color' property assuming no links are visited.

I know that it took some time for us at WebKit to fix currentColor so that it implements the behavior of the SVG spec. Right after that the CSS WG asked to change the behavior again. I don’t know in which state WebKit and Blink are right now.

CSS3 Color at least says [1]:

The value of the ‘color’ property. The computed value of the ‘currentColor’ keyword is the computed value of the ‘color’ property. If the ‘currentColor’ keyword is set on the ‘color’ property itself, it is treated as ‘color: inherit’.

There is no further restriction. Rather the opposite: The ‘color’ property is explicitly allowed to be changed for pseudo selectors like :visited. Are you asking to change this?

Maybe I misunderstand you and you really mean that getComputedStyle() does not return the actual color value that is used. This is right. At least Firefox does not return the value set by :visited pseudo selectors. I assume other browsers do the same. This does not mean that currentColor does not actually uses a different color value (the one specified by the :visited ‘color’ property setting) - even if it tells otherwise. Since the timing attack works on the visual data rather than the data of CSS OM, a “false” value on getComputedStyle() doesn’t matter. If you want that to happen, we need to change the specification text in CSS Colors.


[1] http://www.w3.org/TR/css3-color/#currentcolor
[2] http://dbaron.org/mozilla/visited-privacy

> feImage is only tainted if the mode is No-CORS and the loaded image actually is from a different origin.
> Rob
> -- 
> Jtehsauts  tshaei dS,o n" Wohfy  Mdaon  yhoaus  eanuttehrotraiitny  eovni le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o  Whhei csha iids  teoa stiheer :p atroa lsyazye,d  'mYaonu,r  "sGients  uapr,e  tfaokreg iyvoeunr, 'm aotr  atnod  sgaoy ,h o'mGee.t"  uTph eann dt hwea lmka'n?  gBoutt  uIp  waanndt  wyeonut  thoo mken.o w  

Received on Wednesday, 11 December 2013 10:24:38 UTC