- From: Simon Sapin <simon.sapin@exyr.org>
- Date: Wed, 11 Dec 2013 17:23:42 +0000
- To: Dirk Schulze <dschulze@adobe.com>, "robert@ocallahan.org" <robert@ocallahan.org>
- CC: "public-fx@w3.org" <public-fx@w3.org>, www-style <www-style@w3.org>
On 11/12/2013 08:52, Dirk Schulze wrote: > +CC www-style because of color discussion > > On Dec 11, 2013, at 4:34 AM, Robert O'Callahan <robert@ocallahan.org> wrote: > >> http://dev.w3.org/fxtf/filters/#security >> >> For feFlood, feDropShadow, feDiffuseLighting and >> feSpecularLighting, I don't think these should be tainted --- >> currentColor isn't used very often. In Gecko (and I think other >> engines), we make getComputedStyle on 'color' return the value the >> 'color' property would have if all links are unvisited. So I think >> we can use that here, and specify that for filter primitive >> elements, currentColor evaluates to the value of the 'color' >> property assuming no links are visited. > > I know that it took some time for us at WebKit to fix currentColor so > that it implements the behavior of the SVG spec. Right after that the > CSS WG asked to change the behavior again. I don’t know in which > state WebKit and Blink are right now. > > CSS3 Color at least says [1]: > > “" > The value of the ‘color’ property. The computed value of the > ‘currentColor’ keyword is the computed value of the ‘color’ property. > If the ‘currentColor’ keyword is set on the ‘color’ property itself, > it is treated as ‘color: inherit’. > “” > > There is no further restriction. Rather the opposite: The ‘color’ > property is explicitly allowed to be changed for pseudo selectors > like :visited. Are you asking to change this? > > Maybe I misunderstand you and you really mean that getComputedStyle() > does not return the actual color value that is used. This is right. > At least Firefox does not return the value set by :visited pseudo > selectors. I assume other browsers do the same. This does not mean > that currentColor does not actually uses a different color value (the > one specified by the :visited ‘color’ property setting) - even if it > tells otherwise. Since the timing attack works on the visual data > rather than the data of CSS OM, a “false” value on getComputedStyle() > doesn’t matter. If you want that to happen, we need to change the > specification text in CSS Colors. > > Greetings, > Dirk > > [1] http://www.w3.org/TR/css3-color/#currentcolor > [2] http://dbaron.org/mozilla/visited-privacy > >> >> feImage is only tainted if the mode is No-CORS and the loaded image >> actually is from a different origin. I don’t know the context of this discussion, but note that the quoted part of CSS Color has an errata: http://www.w3.org/Style/2011/REC-css3-color-20110607-errata.html#s.4.5 -- Simon Sapin
Received on Wednesday, 11 December 2013 17:24:49 UTC