RE: [selectors-api] Handling :link and :visited Pseudo Classes from Travis Leithead on 2008-04-16 (public-webapi@w3.org from April 2008)

From: Travis Leithead <travil@windows.microsoft.com>
Date: Wed, 16 Apr 2008 14:11:55 -0700
To: Anne van Kesteren <annevk@opera.com>, Lachlan Hunt <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
Message-ID: <0003CB8B8FE2154EB50431DB2B8F69C002C7A38E8F@NA-EXMSG-W601.wingroup.windeploy.ntd>

>> How is it more secure though? You can still get the same information using
currentStyle... Or using #google-com:visited
{ background:url(tracker?google-com) } or something like that.

Yes, and many other techniques in IE, like 'expression' in CSS. The point isn’t that we're solving the entire problem now, it's that we're not adding new attack surface with the introduction of this new API. Yes, it's a pretty lame problem, but I'd not like to be responsible for spoon-feeding attackers the list of elements that allows them to detect unvisited (:link) and visited (:visited) links with one API call.

>> document.links doesn't return <area>, <link>, <svg:a>, etc. document.links
also doesn't allow selectors like
>>   :link > span, :visited > span

Again, correct, but couldn't that be simplified to:
a > span
?

BTW, .links does include areas. <link> cannot be navigated per se.

-----Original Message-----
From: Anne van Kesteren [mailto:annevk@opera.com]
Sent: Wednesday, April 16, 2008 1:58 PM
To: Travis Leithead; Lachlan Hunt; public-webapi
Subject: Re: [selectors-api] Handling :link and :visited Pseudo Classes

On Wed, 16 Apr 2008 22:49:30 +0200, Travis Leithead
<travil@windows.microsoft.com> wrote:
> However, I recently decided to keep the Selectors API behavior the same
> because 1) we have had no customer-reported problems/feedback on the
> current mitigation, and 2) I'd like to make IE8 just that much more
> secure. (On reason #1, I concede that this is a Beta, and the Selectors
> API has not had large public adoption as of yet.)

How is it more secure though? You can still get the same information using
currentStyle... Or using #google-com:visited
{ background:url(tracker?google-com) } or something like that.

> The current mitigation does exclude the ability to retrieve a list of
> links. However, I'm sure I don't have to remind you folks that for this
> scenario, there's already an excellent pre-established list of links off
> of the document [1]. The only thing you're not getting is the subset of
> links that the user has visited, and while there are use-cases for
> styling said list, the exploitation of this list for destructive
> purposes is a reality that I don’t think a good security-minded browser
> should ignore.

document.links doesn't return <area>, <link>, <svg:a>, etc. document.links
also doesn't allow selectors like

   :link > span, :visited > span

etc.

--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 16 April 2008 21:12:34 UTC