- From: Deian Stefan via GitHub <sysbot+gh@w3.org>
- Date: Sat, 11 Aug 2018 00:39:54 +0000
- To: public-houdini-archive@w3.org
It definitely is! I think we should try to cover visited links under the SOP umbrella so that specs like this don't need to special case links or worry about history sniffing. This is a larger conversation that we need to have, though, and I'm guessing that may take a while. Until this is done, I think recommending Chrome's approach is pretty reasonable. (Unfortunately, the Paint API exposes a higher bandwidth channel than the other things we looked at.) Alternatively, plugging the side channels (registerPaint throwing an exception and paintlet-width leak [pg 5]) to address the amplified attack may be reasonable (though other side channels may similarly exist so I'm less excited about this to be honest). -- GitHub Notification of comment by deian Please view or discuss this issue at https://github.com/w3c/css-houdini-drafts/issues/791#issuecomment-412238264 using your GitHub account
Received on Saturday, 11 August 2018 00:39:57 UTC