On 2015/05/12 4:58, Boris Zbarsky wrote:
On 5/11/15 3:32 PM, Ehsan Akhgari wrote:
You can have style like:
>> ...
And then time the painting/compositing of the said content.
No, you can't. We explicitly forbid that, precisely because of
side-channel timing attacks. dbaron has a good writeup about how the
:visited mitigation works at http://dbaron.org/mozilla/visited-privacy
but the upshot is that in the above testcase the <a> will be
display:none whether it's visited or not.
There does appear to be at least one possible attack vector which
involves detecting if a PerformanceRenderTiming event is fired or not
within a certain time window after changing a link's URL.
Mitigation is being discussed here:
https://github.com/w3c/frame-timing/issues/40#issuecomment-97888895
Best regards,
Brian
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
