- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Tue, 3 Feb 2015 19:06:37 -0800
- To: Michiel Bijl <michiel@agosto.nl>
- Cc: François REMY <francois.remy.dev@outlook.com>, "public-houdini@w3.org" <public-houdini@w3.org>
On Mon, Feb 2, 2015 at 3:15 AM, Michiel Bijl <michiel@agosto.nl> wrote: > What exactly is the (security) issue with a:visited? You can style links differently with :visited, produce a bunch of links, and check their styles, which lets you tell which sites the user has visited recently. This is a privacy violation, and makes it easier to, for example, phish effectively, since you can tell which bank the user visits, etc. To limit this, browsers limit rules containing a :visited pseudoclass to only be able to apply a handful of styles (nothing that causes network requests, or that changes layout in an observable way; you can pretty much only do color and text-decoration), and whenever you do getComputedStyle(), they lie and claim all links are unvisited while computing the style, so you can't even tell when directly querying the style. > Are their any thoughts on how one could make this backwards compatible-ish? Something like flex box can be used fairly safe, but something like @extend would be a lot harder I feel. Any thoughts? You use a preprocessor. Native @extend gives you slightly richer/more complete semantics than preprocessor @extend, but it's close enough to work most of the time (according to Natalie, the lead maintainer of Sass). ~TJ
Received on Wednesday, 4 February 2015 03:07:24 UTC