On Thu, Oct 20, 2011 at 4:06 PM, Dean Jackson <dino@apple.com> wrote: > > On 20/10/2011, at 2:31 PM, Tab Atkins Jr. wrote: > > > This scenario really depends on a pixel shader having > > access to the pixels of cross-domain iframes, though. If we just > > blanked the element's rectangle before giving it to the shader, that > > attack would be defeated. The remaining leakage is probably small > > enough to not worry about, you're right. > > I think that's the key here. A CSS shader (or even any CSS filter really) > should not get any cross-domain iframe content as input. > Even without that you can spy on a user's link history by checking his "visited" colors using this method. > > Dean > >Received on Thursday, 20 October 2011 23:58:56 UTC
This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:06 UTC