W3C home > Mailing lists > Public > www-style@w3.org > August 2013

Re: [css-colors] Specify the System Colors colors

From: L. David Baron <dbaron@dbaron.org>
Date: Fri, 30 Aug 2013 20:04:59 -0400
To: Dirk Schulze <dschulze@adobe.com>
Cc: Simon Pieters <simonp@opera.com>, "www-style@w3.org" <www-style@w3.org>
Message-ID: <20130831000459.GA12932@crum.dbaron.org>
On Friday 2013-08-30 12:48 -0700, Dirk Schulze wrote:
> So according to the tests from Simon, all browsers support some kind of color sets that are not interoperable at all.

Um, Simon's tests don't show lack of interop.  The purpose of the
system fonts is to reflect system settings; showing lack of interop
requires showing lack of interop between different browsers on a
system with the same settings, or showing failure to match the
defined behavior.

That said, I suspect actual interop is pretty good on Windows, and
less good on other desktop platforms.

> There is just one exception with Android and iOS and we don't know if that changes with one of the next versions.

If we standardize on a set of colors, I think it would make more
sense to use a set of colors from the default theme of a recent
Windows version than to use the Android/iOS defaults.

> Do UAs not see any privacy concerns? If so, why does the view between the WG and the UAs differ? Are the color profiles actively used as spoofing mechanism? And what does the attacker get for relevant information from the color settings (even if they would be OS theme dependent)?

So I think there are two separate privacy/security concerns:
spoofing (presenting fake dialogs to the user that appear to be
real) and fingerprinting (using data that differs between users to
identify them).

In practice, I'm not that worried about spoofing.  Users seem to be
spoofed just fine with screenshots of dialogs.  (Perhaps that's a
sign that there's so much non-native-looking UI around that users
have no expectation of native-looking UI.)  Though spoofing could
become more of a risk in the future, I suppose.

The fingerprinting is perhaps more of a real concern, but I think
this is far from the worst fingerprinting vector available in CSS.
(I suspect that's fonts.)

-David

-- 
𝄞   L. David Baron                         http://dbaron.org/   𝄂
𝄢   Mozilla                          https://www.mozilla.org/   𝄂
             Before I built a wall I'd ask to know
             What I was walling in or walling out,
             And to whom I was like to give offense.
               - Robert Frost, Mending Wall (1914)

Received on Saturday, 31 August 2013 00:05:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:33 UTC