- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Thu, 12 Dec 2013 10:07:31 +1300
- To: Dirk Schulze <dschulze@adobe.com>
- Cc: "public-fx@w3.org" <public-fx@w3.org>, www-style <www-style@w3.org>
- Message-ID: <CAOp6jLZ9ndEK9KFrOeCP7mK6Dfmvs98OWnwb23ts5tsruuFXrQ@mail.gmail.com>
On Wed, Dec 11, 2013 at 9:52 PM, Dirk Schulze <dschulze@adobe.com> wrote: > There is no further restriction. Rather the opposite: The ‘color’ property > is explicitly allowed to be changed for pseudo selectors like :visited. Are > you asking to change this? > No. Maybe I misunderstand you and you really mean that getComputedStyle() does > not return the actual color value that is used. Yes. > This is right. At least Firefox does not return the value set by :visited > pseudo selectors. I assume other browsers do the same. This does not mean > that currentColor does not actually uses a different color value (the one > specified by the :visited ‘color’ property setting) - even if it tells > otherwise. Since the timing attack works on the visual data rather than the > data of CSS OM, a “false” value on getComputedStyle() doesn’t matter. If > you want that to happen, we need to change the specification text in CSS > Colors. > I guess we should define in CSS Colors a "sanitized 'color' value" that is safe to be exposed to Web scripts, and in Filters define 'flood-color' and 'lighting-color' to use the "sanitized 'color' value" for currentColor Rob -- Jtehsauts tshaei dS,o n" Wohfy Mdaon yhoaus eanuttehrotraiitny eovni le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o Whhei csha iids teoa stiheer :p atroa lsyazye,d 'mYaonu,r "sGients uapr,e tfaokreg iyvoeunr, 'm aotr atnod sgaoy ,h o'mGee.t" uTph eann dt hwea lmka'n? gBoutt uIp waanndt wyeonut thoo mken.o w
Received on Wednesday, 11 December 2013 21:07:58 UTC