W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: [selectors-api] Handling :link and :visited Pseudo Classes

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 16 Apr 2008 22:57:38 +0200
To: "Travis Leithead" <travil@windows.microsoft.com>, "Lachlan Hunt" <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
Message-ID: <op.t9p1uca864w2qv@annevk-t60.oslo.opera.com>

On Wed, 16 Apr 2008 22:49:30 +0200, Travis Leithead  
<travil@windows.microsoft.com> wrote:
> However, I recently decided to keep the Selectors API behavior the same  
> because 1) we have had no customer-reported problems/feedback on the  
> current mitigation, and 2) I'd like to make IE8 just that much more  
> secure. (On reason #1, I concede that this is a Beta, and the Selectors  
> API has not had large public adoption as of yet.)

How is it more secure though? You can still get the same information using  
currentStyle... Or using #google-com:visited  
{ background:url(tracker?google-com) } or something like that.

> The current mitigation does exclude the ability to retrieve a list of  
> links. However, I'm sure I don't have to remind you folks that for this  
> scenario, there's already an excellent pre-established list of links off  
> of the document [1]. The only thing you're not getting is the subset of  
> links that the user has visited, and while there are use-cases for  
> styling said list, the exploitation of this list for destructive  
> purposes is a reality that I don’t think a good security-minded browser  
> should ignore.

document.links doesn't return <area>, <link>, <svg:a>, etc. document.links  
also doesn't allow selectors like

   :link > span, :visited > span


Anne van Kesteren
Received on Wednesday, 16 April 2008 20:57:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:10:00 UTC