Re: [selectors-api] Handling :link and :visited Pseudo Classes

On Wed, 16 Apr 2008 22:49:30 +0200, Travis Leithead  
<travil@windows.microsoft.com> wrote:
> However, I recently decided to keep the Selectors API behavior the same  
> because 1) we have had no customer-reported problems/feedback on the  
> current mitigation, and 2) I'd like to make IE8 just that much more  
> secure. (On reason #1, I concede that this is a Beta, and the Selectors  
> API has not had large public adoption as of yet.)

How is it more secure though? You can still get the same information using  
currentStyle... Or using #google-com:visited  
{ background:url(tracker?google-com) } or something like that.


> The current mitigation does exclude the ability to retrieve a list of  
> links. However, I'm sure I don't have to remind you folks that for this  
> scenario, there's already an excellent pre-established list of links off  
> of the document [1]. The only thing you're not getting is the subset of  
> links that the user has visited, and while there are use-cases for  
> styling said list, the exploitation of this list for destructive  
> purposes is a reality that I don’t think a good security-minded browser  
> should ignore.

document.links doesn't return <area>, <link>, <svg:a>, etc. document.links  
also doesn't allow selectors like

   :link > span, :visited > span

etc.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 16 April 2008 20:57:02 UTC