Re: [css-color][filter-effects] from Simon Sapin on 2013-12-11 (public-fx@w3.org from October to December 2013)

From: Simon Sapin <simon.sapin@exyr.org>
Date: Wed, 11 Dec 2013 17:23:42 +0000
To: Dirk Schulze <dschulze@adobe.com>, "robert@ocallahan.org" <robert@ocallahan.org>
CC: "public-fx@w3.org" <public-fx@w3.org>, www-style <www-style@w3.org>
Message-ID: <52A89F9E.5090801@exyr.org>

On 11/12/2013 08:52, Dirk Schulze wrote:
> +CC www-style because of color discussion
>
> On Dec 11, 2013, at 4:34 AM, Robert O'Callahan <robert@ocallahan.org> wrote:
>
>> http://dev.w3.org/fxtf/filters/#security
>>
>> For feFlood, feDropShadow, feDiffuseLighting and
>> feSpecularLighting, I don't think these should be tainted ---
>> currentColor isn't used very often. In Gecko (and I think other
>> engines), we make getComputedStyle on 'color' return the value the
>> 'color' property would have if all links are unvisited. So I think
>> we can use that here, and specify that for filter primitive
>> elements, currentColor evaluates to the value of the 'color'
>> property assuming no links are visited.
>
> I know that it took some time for us at WebKit to fix currentColor so
> that it implements the behavior of the SVG spec. Right after that the
> CSS WG asked to change the behavior again. I don’t know in which
> state WebKit and Blink are right now.
>
> CSS3 Color at least says [1]:
>
> “"
> The value of the ‘color’ property. The computed value of the
> ‘currentColor’ keyword is the computed value of the ‘color’ property.
> If the ‘currentColor’ keyword is set on the ‘color’ property itself,
> it is treated as ‘color: inherit’.
> “”
>
> There is no further restriction. Rather the opposite: The ‘color’
> property is explicitly allowed to be changed for pseudo selectors
> like :visited. Are you asking to change this?
>
> Maybe I misunderstand you and you really mean that getComputedStyle()
> does not return the actual color value that is used. This is right.
> At least Firefox does not return the value set by :visited pseudo
> selectors. I assume other browsers do the same. This does not mean
> that currentColor does not actually uses a different color value (the
> one specified by the :visited ‘color’ property setting) - even if it
> tells otherwise. Since the timing attack works on the visual data
> rather than the data of CSS OM, a “false” value on getComputedStyle()
> doesn’t matter. If you want that to happen, we need to change the
> specification text in CSS Colors.
>
> Greetings,
> Dirk
>
> [1] http://www.w3.org/TR/css3-color/#currentcolor
> [2] http://dbaron.org/mozilla/visited-privacy
>
>>
>> feImage is only tainted if the mode is No-CORS and the loaded image
>> actually is from a different origin.

I don’t know the context of this discussion, but note that the quoted 
part of CSS Color has an errata:

http://www.w3.org/Style/2011/REC-css3-color-20110607-errata.html#s.4.5

-- 
Simon Sapin

Received on Wednesday, 11 December 2013 17:24:49 UTC