Re: [css-color][filter-effects] (was: Re: [filter-effects] Tainted filter primitives)

On Wed, Dec 11, 2013 at 9:52 PM, Dirk Schulze <dschulze@adobe.com> wrote:

> There is no further restriction. Rather the opposite: The ‘color’ property
> is explicitly allowed to be changed for pseudo selectors like :visited. Are
> you asking to change this?
>

No.

Maybe I misunderstand you and you really mean that getComputedStyle() does
> not return the actual color value that is used.


Yes.


> This is right. At least Firefox does not return the value set by :visited
> pseudo selectors. I assume other browsers do the same. This does not mean
> that currentColor does not actually uses a different color value (the one
> specified by the :visited ‘color’ property setting) - even if it tells
> otherwise. Since the timing attack works on the visual data rather than the
> data of CSS OM, a “false” value on getComputedStyle() doesn’t matter. If
> you want that to happen, we need to change the specification text in CSS
> Colors.
>

I guess we should define in CSS Colors a "sanitized 'color' value" that is
safe to be exposed to Web scripts, and in Filters define 'flood-color' and
'lighting-color' to use the "sanitized 'color' value" for currentColor

Rob
-- 
Jtehsauts  tshaei dS,o n" Wohfy  Mdaon  yhoaus  eanuttehrotraiitny  eovni
le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o  Whhei csha iids  teoa
stiheer :p atroa lsyazye,d  'mYaonu,r  "sGients  uapr,e  tfaokreg iyvoeunr,
'm aotr  atnod  sgaoy ,h o'mGee.t"  uTph eann dt hwea lmka'n?  gBoutt  uIp
waanndt  wyeonut  thoo mken.o w

Received on Wednesday, 11 December 2013 21:08:01 UTC