On 5/11/15 3:32 PM, Ehsan Akhgari wrote:
You can have style like:<a href="...">some content that is expensive to paint/composite</a> and then have; a { display: none; } a:visited { display: inline; } And then time the painting/compositing of the said content.
No, you can't. We explicitly forbid that, precisely because of side-channel timing attacks. dbaron has a good writeup about how the :visited mitigation works at http://dbaron.org/mozilla/visited-privacy but the upshot is that in the above testcase the <a> will be display:none whether it's visited or not.
-Boris _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
