On 2015-04-28 1:38 AM, Brian Birtles wrote:
On 2015/04/28 10:43, Jonas Sicking wrote:
Please make sure to do a security review so that this doesn't expose
any sensitive information accidentally. In particular, is there any
way to use this API to use :visited hacks along with timing
information to see if a user has visited a particular URL?
I think we're ok since :visited only affects colors which shouldn't
affect render or composite times? Is there someone we should loop in who
can give a more informed appraisal?
You can have style like:
<a href="...">some content that is expensive to paint/composite</a>
and then have;
a {
display: none;
}
a:visited {
display: inline;
}
And then time the painting/compositing of the said content. However, I
believe this timing side channel already exists in Gecko. Please double
check with the security team.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
