- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Fri, 13 Dec 2013 14:47:31 -0800
- To: "Robert O'Callahan" <robert@ocallahan.org>
- Cc: Dirk Schulze <dschulze@adobe.com>, public-fx <public-fx@w3.org>, www-style <www-style@w3.org>
On Fri, Dec 13, 2013 at 1:48 PM, Robert O'Callahan <robert@ocallahan.org> wrote: > On Sat, Dec 14, 2013 at 8:11 AM, Tab Atkins Jr. <jackalmage@gmail.com> > wrote: >> That's silly. There's no reason to break currentcolor just because >> :visited is being used. Plus, depending on implementation strategy, >> actually getting the sanitized color is expensive (as you have to >> rerun style matching, excluding all rules with :visited in their >> selectors). > > FWIW, it's essential that getting the sanitized value be exactly as > expensive as getting the regular value. Otherwise you open yourself to > timing attacks. Bah, that's true. That means tracking two values for anything that needs sanitization, unfortunately. ~TJ
Received on Friday, 13 December 2013 22:48:21 UTC