Re: [css-houdini-drafts] [css-paint-api] CSS Paint API leaks browsing history from Michael Smith via GitHub on 2018-08-13 (public-houdini-archive@w3.org from August 2018)

From: Michael Smith via GitHub <sysbot+gh@w3.org>
Date: Mon, 13 Aug 2018 18:19:44 +0000
To: public-houdini-archive@w3.org
Message-ID: <issue_comment.created-412615135-1534184383-sysbot+gh@w3.org>

@dbaron 

> That said, although the paper doesn't explicitly say so, I'm assuming the "Amplified attack" variant is also counting calls to the paint callback and only doing the registerPaint that marks the link as visited on the second call... if that's not the case then I don't actually understand how that attack is working.

Yes, that's correct. We use `registerPaint` to store persistent state across `paint` callback invocations.

On the first invocation of our `paint` callback, we do `registerPaint('target_foo', P)`.

On the second invocation, we do `registerPaint('target_foo', P)` again, but this time it throws an exception since `target_foo` is already registered. We catch the exception and do `registerPaint('target_foo_visited', P)` in response.

-- 
GitHub Notification of comment by spinda
Please view or discuss this issue at https://github.com/w3c/css-houdini-drafts/issues/791#issuecomment-412615135 using your GitHub account

Received on Monday, 13 August 2018 18:19:50 UTC