Re: NodeSelector, :visited, and :link from Alan Gresley on 2010-08-26 (www-style@w3.org from August 2010)

From: Alan Gresley <alan@css-class.com>
Date: Thu, 26 Aug 2010 13:49:45 +1000
To: Garrett Smith <dhtmlkitchen@gmail.com>
CC: Boris Zbarsky <bzbarsky@mit.edu>, Patrick Garies <pgaries@fastmail.us>, www-style <www-style@w3.org>
Message-ID: <4C75E459.2000707@css-class.com>

Garrett Smith wrote:
> On 8/22/10, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> On 8/22/10 10:02 PM, Garrett Smith wrote:
>>> On 8/22/10, Boris Zbarsky<bzbarsky@mit.edu>  wrote:
>>>> On 8/22/10 7:38 PM, Patrick Garies wrote:
>>>>> On 2010-08-18 9:45 PM, Garrett Smith wrote:
>>>>>> Do any browsers return just visited links for
>>>>>> document.querySelectorAll(":visited").
>>>>> Firefox 3.6 and Opera 10.6 do; they match links based on their
>>>>> visited/unvisited state including |link| element links.
>>>> Note that Firefox 4.0 will no longer do this; the NodeSelector methods
>>>> will treat all links as unvisited.  The definition of "link" in this
>>>> context is unaffected by this behavior change (so includes<html:a>,
>>>> <html:link>,<html:area>,<svg:a>).
>>>>
>>> What's the consequences of MUST'ing this into the spec?
>> What does "this" refer to in this context?
>>
> It refers to what is specified for :visited and :link, as described in
> Selectors API Level 1.
> <http://www.w3.org/TR/selectors-api/>
> 
>   "As defined in Selectors ([SELECT], section 6.6.1), user agents may
> treat all links as unvisited links. It is recommended that
> implementations behave consistently with other uses of Selectors
> supported by the user agent."
> 
> to:
>  "user agents must treat all links as unvisited links. Authors should
> be advised that some older user agents match visited links with
> :visited and unvisited links with :link."
> 
> Essentially along the lines of codifying the behavior. What's the
> point in a feature that is designed to be not interoperable?


This is a security issue. Servers can track a computer's personal 
browsing history by using attribute selectors together with :visited 
or server side scripts (for which I have little knowledge) and :visited.


> What if
> IE handles it one way while four browsers handle it another way, and
> then, say, an author decides that IE is buggy and thus not worth
> supporting, or, worse yet, uses one of those NFD (native-first dual)
> query engines (where the fallback either supports it, returns every
> element, returns no elements, or throws an error).


I presume authors "should" have been aware that :visited wasn't meant 
to behave as they did due to the security issue, but we know that most 
authors don't even know that there is a spec as per say.


> 
> See also LH's comments:
> <http://lists.w3.org/Archives/Public/public-webapi/2008Apr/0134.html>
> 
> Garrett
> 
> 
> 


-- 
Alan http://css-class.com/

Armies Cannot Stop An Idea Whose Time Has Come. - Victor Hugo

Received on Thursday, 26 August 2010 03:50:16 UTC