Re: [selectors-api] Handling :link and :visited Pseudo Classes

On Wednesday 2008-04-16 23:26 +0200, Arve Bersvendsen wrote:
> Also note that it is impossible to protect against Anne's suggested exploit 
> where you load a randomized and unique tracker image as background or 
> content for visited links, and do the data collection serverside instead.

It's not impossible; it just requires deviations from current
standards and probably a lot of work.

On Wednesday 2008-04-16 14:39 -0700, Maciej Stachowiak wrote:
> I'd like us to understand how it is feasible to every fully solve this 
> problem before catering to partial solutions in the Selectors API spec.

My current thinking (from
https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c65 ) is that
what we'd need to do to fix this is:

 1. change CSS selector matching so that :visited rules are used
    *only* for the non-alpha components of the 'color' and
    'background-color' properties (and everything else is computed
    based on the :link rules)

 2. make getComputedStyle and any other APIs lie about those two
    properties

I think anything short of (1), with perhaps a few additional allowed
properties, is subject to timing exploits (which are sometimes
inherently engine-dependent), such as the example in
https://bugzilla.mozilla.org/show_bug.cgi?id=147777#attach_135350
which works at least in some older versions of Mozilla and Opera.

I'm not sure whether this is something we actually *want* to do.

-David

-- 
L. David Baron                                 http://dbaron.org/
Mozilla Corporation                       http://www.mozilla.com/

Received on Wednesday, 16 April 2008 22:30:19 UTC