The other day, I saw another of those pages about using :visited and display in order to allow others to learn whether the user has visited a page. (I remember Johannes pointing to a page about this last year, too.) I wonder whether it would be sensible to have a dillorc option defaulting to NO for whether to use :visited.
On Tue, Jan 05, 2010 at 03:36:24PM +0000, corvid wrote:
The other day, I saw another of those pages about using :visited and display in order to allow others to learn whether the user has visited a page. (I remember Johannes pointing to a page about this last year, too.)
I wonder whether it would be sensible to have a dillorc option defaulting to NO for whether to use :visited.
Yes, that sounds good. We should distinguish between remote / embedded CSS and user agent and user stylesheet though. For the latter two we don't need any restrictions. We might also do some other restrictions on remote CSS in the future, e.g. possible dillo specific extensions should also be only accessible via the user agent and user stylesheet.
Johannes wrote:
On Tue, Jan 05, 2010 at 03:36:24PM +0000, corvid wrote:
The other day, I saw another of those pages about using :visited and display in order to allow others to learn whether the user has visited a page. (I remember Johannes pointing to a page about this last year, too.)
I wonder whether it would be sensible to have a dillorc option defaulting to NO for whether to use :visited.
Yes, that sounds good. We should distinguish between remote / embedded CSS and user agent and user stylesheet though. For the latter two we don't need any restrictions.
Does this look right?
On Mon, Apr 05, 2010 at 07:18:26PM +0000, corvid wrote:
Johannes wrote:
On Tue, Jan 05, 2010 at 03:36:24PM +0000, corvid wrote:
The other day, I saw another of those pages about using :visited and display in order to allow others to learn whether the user has visited a page. (I remember Johannes pointing to a page about this last year, too.)
I wonder whether it would be sensible to have a dillorc option defaulting to NO for whether to use :visited.
Yes, that sounds good. We should distinguish between remote / embedded CSS and user agent and user stylesheet though. For the latter two we don't need any restrictions.
Does this look right?
I'm also currently thinking about this issue - reminded by this article: http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/ Maybe the fix implemented in your patch is too drastic. I would hope that something like the solution presented in the article above would be enough. If so, I would simply hardcode it and not make an option to disable it. Cheers, Johannes
participants (2)
-
corvid@lavabit.com -
Johannes.Hofmann@gmx.de