- From: L. David Baron <dbaron@dbaron.org>
- Date: Wed, 16 Apr 2008 15:28:36 -0700
- To: Arve Bersvendsen <arveb@opera.com>, Maciej Stachowiak <mjs@apple.com>
- Cc: Travis Leithead <travil@windows.microsoft.com>, Lachlan Hunt <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
On Wednesday 2008-04-16 23:26 +0200, Arve Bersvendsen wrote: > Also note that it is impossible to protect against Anne's suggested exploit > where you load a randomized and unique tracker image as background or > content for visited links, and do the data collection serverside instead. It's not impossible; it just requires deviations from current standards and probably a lot of work. On Wednesday 2008-04-16 14:39 -0700, Maciej Stachowiak wrote: > I'd like us to understand how it is feasible to every fully solve this > problem before catering to partial solutions in the Selectors API spec. My current thinking (from https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c65 ) is that what we'd need to do to fix this is: 1. change CSS selector matching so that :visited rules are used *only* for the non-alpha components of the 'color' and 'background-color' properties (and everything else is computed based on the :link rules) 2. make getComputedStyle and any other APIs lie about those two properties I think anything short of (1), with perhaps a few additional allowed properties, is subject to timing exploits (which are sometimes inherently engine-dependent), such as the example in https://bugzilla.mozilla.org/show_bug.cgi?id=147777#attach_135350 which works at least in some older versions of Mozilla and Opera. I'm not sure whether this is something we actually *want* to do. -David -- L. David Baron http://dbaron.org/ Mozilla Corporation http://www.mozilla.com/
Received on Wednesday, 16 April 2008 22:30:19 UTC