Re: [selectors-api] Handling :link and :visited Pseudo Classes from Ian Hickson on 2008-04-16 (public-webapi@w3.org from April 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 16 Apr 2008 22:41:18 +0000 (UTC)
To: "L. David Baron" <dbaron@dbaron.org>
Cc: Arve Bersvendsen <arveb@opera.com>, Maciej Stachowiak <mjs@apple.com>, Travis Leithead <travil@windows.microsoft.com>, Lachlan Hunt <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
Message-ID: <Pine.LNX.4.62.0804162236460.22086@hixie.dreamhostps.com>

On Wed, 16 Apr 2008, L. David Baron wrote:
> On Wednesday 2008-04-16 23:26 +0200, Arve Bersvendsen wrote:
> > Also note that it is impossible to protect against Anne's suggested exploit 
> > where you load a randomized and unique tracker image as background or 
> > content for visited links, and do the data collection serverside instead.
> 
> It's not impossible; it just requires deviations from current standards 
> and probably a lot of work.

Actually that one's trivial -- just load all background images 
optimistically.


> On Wednesday 2008-04-16 14:39 -0700, Maciej Stachowiak wrote:
> > I'd like us to understand how it is feasible to every fully solve this 
> > problem before catering to partial solutions in the Selectors API spec.
> 
> My current thinking (from
> https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c65 ) is that
> what we'd need to do to fix this is:
> 
>  1. change CSS selector matching so that :visited rules are used
>     *only* for the non-alpha components of the 'color' and
>     'background-color' properties (and everything else is computed
>     based on the :link rules)
> 
>  2. make getComputedStyle and any other APIs lie about those two
>     properties
> 
> I think anything short of (1), with perhaps a few additional allowed 
> properties, is subject to timing exploits (which are sometimes 
> inherently engine-dependent), such as the example in 
> https://bugzilla.mozilla.org/show_bug.cgi?id=147777#attach_135350 which 
> works at least in some older versions of Mozilla and Opera.
> 
> I'm not sure whether this is something we actually *want* to do.

Opera at one point had something that basically consistent of doing the 
layout twice, once for the user and once for DOM calls (offsetTop, etc). 
However, even in this solution I was able to demonstrate information 
leakage by using a timing attack based on how long selectors took to be 
processed in the two cases.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 16 April 2008 22:41:57 UTC