Re: [css-color][filter-effects] (was: Re: [filter-effects] Tainted filter primitives)

On Fri, Dec 13, 2013 at 1:48 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> On Sat, Dec 14, 2013 at 8:11 AM, Tab Atkins Jr. <jackalmage@gmail.com>
> wrote:
>> That's silly.  There's no reason to break currentcolor just because
>> :visited is being used.  Plus, depending on implementation strategy,
>> actually getting the sanitized color is expensive (as you have to
>> rerun style matching, excluding all rules with :visited in their
>> selectors).
>
> FWIW, it's essential that getting the sanitized value be exactly as
> expensive as getting the regular value. Otherwise you open yourself to
> timing attacks.

Bah, that's true.  That means tracking two values for anything that
needs sanitization, unfortunately.

~TJ

Received on Friday, 13 December 2013 22:48:21 UTC