- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 16 Apr 2008 22:57:38 +0200
- To: "Travis Leithead" <travil@windows.microsoft.com>, "Lachlan Hunt" <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
On Wed, 16 Apr 2008 22:49:30 +0200, Travis Leithead
<travil@windows.microsoft.com> wrote:
> However, I recently decided to keep the Selectors API behavior the same
> because 1) we have had no customer-reported problems/feedback on the
> current mitigation, and 2) I'd like to make IE8 just that much more
> secure. (On reason #1, I concede that this is a Beta, and the Selectors
> API has not had large public adoption as of yet.)
How is it more secure though? You can still get the same information using
currentStyle... Or using #google-com:visited
{ background:url(tracker?google-com) } or something like that.
> The current mitigation does exclude the ability to retrieve a list of
> links. However, I'm sure I don't have to remind you folks that for this
> scenario, there's already an excellent pre-established list of links off
> of the document [1]. The only thing you're not getting is the subset of
> links that the user has visited, and while there are use-cases for
> styling said list, the exploitation of this list for destructive
> purposes is a reality that I don’t think a good security-minded browser
> should ignore.
document.links doesn't return <area>, <link>, <svg:a>, etc. document.links
also doesn't allow selectors like
:link > span, :visited > span
etc.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 16 April 2008 20:57:02 UTC