This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
https://drafts.csswg.org/cssom-view/ Security: * Scrolling APIs might be used in e.g. for clickjacking. * Moving and resizing windows might be used e.g. to emulate a native platform dialog. * The "supported open() feature name" is more limited in the spec than it is in implementations; wider support to hide various parts of the UI might be used e.g. to emulate a native platform dialog. * Failure to implement same-origin restrictions for scrolling APIs ... * Failure to implement #allowed-to-resize-and-move restrictions for moving and resizing windows ... * ...? Privacy: * Fingerprinting. * Exposure to JS when the user's environment changes via e.g. MediaQueryList (c.f. 'orientation', 'light-level', etc.) * ...?
One thing you want to mention here is that APIs that allow observing things of stylesheets, e.g., subresource loading (service workers, resource timing), need to be aware that if a stylesheet itself was not loaded using "cors" and is cross-origin, leaking data of those subresources is a same-origin policy violation. That's really a generic issue for CSS, but it seems CSSOM is the grab bag for actually defining the model as to how CSS works.
Yes, that's for CSSOM though, not CSSOM View. Thanks!
Privacy: * https://www.w3.org/Bugs/Public/show_bug.cgi?id=29577