- From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
- Date: Mon, 15 Aug 2016 10:51:52 +0100
- To: Greg Norcie <norcie@cdt.org>
- Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Received on Monday, 15 August 2016 09:52:22 UTC
Hello, A writeup is here: https://lcamtuf.blogspot.co.uk/2016/08/css-mix-blend-mode-is-bad-for-keeping.html As highlighted, the issue was considered for a while (two years). I am wondering how many standards and implementations are being analyzed for vulns - during their development, only to disclose them after they reach deployments. That said, this is not the case, as there was a clear warning ( http://lcamtuf.coredump.cx/css_calc/), which went unnoticed. The key lesson is for us possibly is the following: should W3C/PING react to similar warnings and research and be in position to, well, address/block them? 2016-08-14 16:04 GMT+01:00 Greg Norcie <gnorcie@cdt.org>: > Requires JS. NoScript saves the day once again :) > > > Is there a whitepaper somewhere with technical details? > > > /********************************************/ > Greg Norcie (norcie@cdt.org) > Staff Technologist > Center for Democracy & Technology > District of Columbia office > (p) 202-637-9800 > PGP: http://norcie.com/pgp.txt > > /*******************************************/ > > On Thu, Aug 4, 2016 at 7:06 AM, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com > > wrote: > >> Dear PING, >> >> History hijack attack is back. Very smart use of CSS :) >> >> Try at http://lcamtuf.coredump.cx/whack/ >> > >
Received on Monday, 15 August 2016 09:52:22 UTC