On Wed, Dec 11, 2013 at 9:52 PM, Dirk Schulze <dschulze@adobe.com> wrote: > There is no further restriction. Rather the opposite: The ‘color’ property > is explicitly allowed to be changed for pseudo selectors like :visited. Are > you asking to change this? > No. Maybe I misunderstand you and you really mean that getComputedStyle() does > not return the actual color value that is used. Yes. > This is right. At least Firefox does not return the value set by :visited > pseudo selectors. I assume other browsers do the same. This does not mean > that currentColor does not actually uses a different color value (the one > specified by the :visited ‘color’ property setting) - even if it tells > otherwise. Since the timing attack works on the visual data rather than the > data of CSS OM, a “false” value on getComputedStyle() doesn’t matter. If > you want that to happen, we need to change the specification text in CSS > Colors. > I guess we should define in CSS Colors a "sanitized 'color' value" that is safe to be exposed to Web scripts, and in Filters define 'flood-color' and 'lighting-color' to use the "sanitized 'color' value" for currentColor Rob -- Jtehsauts tshaei dS,o n" Wohfy Mdaon yhoaus eanuttehrotraiitny eovni le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o Whhei csha iids teoa stiheer :p atroa lsyazye,d 'mYaonu,r "sGients uapr,e tfaokreg iyvoeunr, 'm aotr atnod sgaoy ,h o'mGee.t" uTph eann dt hwea lmka'n? gBoutt uIp waanndt wyeonut thoo mken.o wReceived on Wednesday, 11 December 2013 21:08:01 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:49:47 UTC