Re: New directions in CSS History stealing

Hello,

A writeup is here:
https://lcamtuf.blogspot.co.uk/2016/08/css-mix-blend-mode-is-bad-for-keeping.html

As highlighted, the issue was considered for a while (two years). I am
wondering how many standards and implementations are being analyzed for
vulns - during their development, only to disclose them after they reach
deployments. That said, this is not the case, as there was a clear warning (
http://lcamtuf.coredump.cx/css_calc/), which went unnoticed.

The key lesson is for us possibly is the following: should W3C/PING react
to similar warnings and research and be in position to, well, address/block
them?



2016-08-14 16:04 GMT+01:00 Greg Norcie <gnorcie@cdt.org>:

> Requires JS. NoScript saves the day once again :)
>
>
> Is there a whitepaper somewhere with technical details?
>
>
> /********************************************/
> Greg Norcie (norcie@cdt.org)
> Staff Technologist
> Center for Democracy & Technology
> District of Columbia office
> (p) 202-637-9800
> PGP: http://norcie.com/pgp.txt
>
> /*******************************************/
>
> On Thu, Aug 4, 2016 at 7:06 AM, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com
> > wrote:
>
>> Dear PING,
>>
>> History hijack attack is back. Very smart use of CSS :)
>>
>> Try at http://lcamtuf.coredump.cx/whack/
>>
>
>

Received on Monday, 15 August 2016 09:52:22 UTC