This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 29533 - Add 'Security Considerations' and 'Privacy Considerations' sections
Summary: Add 'Security Considerations' and 'Privacy Considerations' sections
Status: NEW
Alias: None
Product: CSS
Classification: Unclassified
Component: CSSOM View (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: ---
Assignee: Simon Pieters
QA Contact: public-css-bugzilla
Depends on:
Reported: 2016-03-15 16:05 UTC by Simon Pieters
Modified: 2016-04-26 09:09 UTC (History)
2 users (show)

See Also:


Description Simon Pieters 2016-03-15 16:05:25 UTC


* Scrolling APIs might be used in e.g. for clickjacking.
* Moving and resizing windows might be used e.g. to emulate a native platform dialog.
* The "supported open() feature name" is more limited in the spec than it is in implementations; wider support to hide various parts of the UI might be used e.g. to emulate a native platform dialog.
* Failure to implement same-origin restrictions for scrolling APIs ...
* Failure to implement #allowed-to-resize-and-move restrictions for moving and resizing windows ...
* ...?


* Fingerprinting.
* Exposure to JS when the user's environment changes via e.g. MediaQueryList (c.f. 'orientation', 'light-level', etc.)
* ...?
Comment 1 Anne 2016-03-15 16:18:57 UTC
One thing you want to mention here is that APIs that allow observing things of stylesheets, e.g., subresource loading (service workers, resource timing), need to be aware that if a stylesheet itself was not loaded using "cors" and is cross-origin, leaking data of those subresources is a same-origin policy violation.

That's really a generic issue for CSS, but it seems CSSOM is the grab bag for actually defining the model as to how CSS works.
Comment 2 Simon Pieters 2016-03-15 17:35:04 UTC
Yes, that's for CSSOM though, not CSSOM View. Thanks!
Comment 3 Simon Pieters 2016-04-26 09:09:51 UTC