Re: [css-shaders] security - timing attacks

* Gregg Tavares (wrk) wrote:
>On Thu, Oct 20, 2011 at 4:06 PM, Dean Jackson <dino@apple.com> wrote:
>> I think that's the key here. A CSS shader (or even any CSS filter really)
>> should not get any cross-domain iframe content as input.
>
>Even without that you can spy on a user's link history by checking his
>"visited" colors using this method.

This would seem to be defeated by considering links unvisited for the
purposes of shader input, like they are considered unvisited for many
other purposes in browsers that try to protect against history leaks,
even if that doesn't seem terribly convenient to implement.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

Received on Friday, 21 October 2011 00:07:25 UTC