- From: L. David Baron <dbaron@dbaron.org>
- Date: Wed, 16 Apr 2008 17:27:46 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Arve Bersvendsen <arveb@opera.com>, Maciej Stachowiak <mjs@apple.com>, Travis Leithead <travil@windows.microsoft.com>, Lachlan Hunt <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
On Wednesday 2008-04-16 22:41 +0000, Ian Hickson wrote: > On Wed, 16 Apr 2008, L. David Baron wrote: > > On Wednesday 2008-04-16 23:26 +0200, Arve Bersvendsen wrote: > > > Also note that it is impossible to protect against Anne's suggested exploit > > > where you load a randomized and unique tracker image as background or > > > content for visited links, and do the data collection serverside instead. > > > > It's not impossible; it just requires deviations from current standards > > and probably a lot of work. > > Actually that one's trivial -- just load all background images > optimistically. I was referring to the general problem. For example, if background images were allowed, it would likely be possible to do timing attacks based image vs. no image, based on images with vs. without transparency, or based on tiling of large vs. small images, etc. -David -- L. David Baron http://dbaron.org/ Mozilla Corporation http://www.mozilla.com/
Received on Thursday, 17 April 2008 00:28:51 UTC