- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 16 Apr 2008 22:57:38 +0200
- To: "Travis Leithead" <travil@windows.microsoft.com>, "Lachlan Hunt" <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
On Wed, 16 Apr 2008 22:49:30 +0200, Travis Leithead <travil@windows.microsoft.com> wrote: > However, I recently decided to keep the Selectors API behavior the same > because 1) we have had no customer-reported problems/feedback on the > current mitigation, and 2) I'd like to make IE8 just that much more > secure. (On reason #1, I concede that this is a Beta, and the Selectors > API has not had large public adoption as of yet.) How is it more secure though? You can still get the same information using currentStyle... Or using #google-com:visited { background:url(tracker?google-com) } or something like that. > The current mitigation does exclude the ability to retrieve a list of > links. However, I'm sure I don't have to remind you folks that for this > scenario, there's already an excellent pre-established list of links off > of the document [1]. The only thing you're not getting is the subset of > links that the user has visited, and while there are use-cases for > styling said list, the exploitation of this list for destructive > purposes is a reality that I don’t think a good security-minded browser > should ignore. document.links doesn't return <area>, <link>, <svg:a>, etc. document.links also doesn't allow selectors like :link > span, :visited > span etc. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 16 April 2008 20:57:02 UTC