Re: [css-shaders] security - timing attacks

On Thu, Oct 20, 2011 at 4:06 PM, Dean Jackson <dino@apple.com> wrote:

>
> On 20/10/2011, at 2:31 PM, Tab Atkins Jr. wrote:
>
> > This scenario really depends on a pixel shader having
> > access to the pixels of cross-domain iframes, though.  If we just
> > blanked the element's rectangle before giving it to the shader, that
> > attack would be defeated.  The remaining leakage is probably small
> > enough to not worry about, you're right.
>
> I think that's the key here. A CSS shader (or even any CSS filter really)
> should not get any cross-domain iframe content as input.
>

Even without that you can spy on a user's link history by checking his
"visited" colors using this method.


>
> Dean
>
>

Received on Thursday, 20 October 2011 23:58:56 UTC