Complicated CSS effects and :visited selector leak browser history through paint timing
Categories
(Core :: Layout, defect, P1)
Tracking
()
People
(Reporter: mismith, Unassigned)
References
Details
(5 keywords, Whiteboard: [pixel-stealing][layout:backlog])
Attachments
(2 files)
Updated•7 years ago
|
Comment 1•7 years ago
|
||
Updated•7 years ago
|
Reporter | ||
Comment 4•7 years ago
|
||
Comment 5•7 years ago
|
||
Reporter | ||
Comment 6•7 years ago
|
||
Comment 8•7 years ago
|
||
Updated•7 years ago
|
Updated•6 years ago
|
Comment 9•6 years ago
|
||
Marking this as stalled pending continued discussions in the CSSWG on preferred method for resolving this type of history leak. Keeping in layout backlog icebox to take action on it once we have more consensus.
Comment 10•5 years ago
|
||
Sean, did anything ever come of the CSSWG discussions?
Comment 11•5 years ago
|
||
No, there's still not really been any movement on this in the CSSWG to my knowledge.
Comment 12•5 years ago
|
||
the "stalled" keyword refers to the security investigation; it's not appropriate when we have full working steps to reproduce. The engineering design of a fix may be pending other work or decisions but it still counts as a valid security bug hanging over our heads.
Given the importance of "Privacy" as a brand value maybe we should forge ahead with a unilateral solution rather than waiting for a standards change, as we did in 2010 with the first major fix for :visited history leakage. Maybe get off the whack-a-mole train of trying to eliminate timing attacks in graphics and change our approach to change what :visited means -- completely out of the realm of any decision by CSS standards. Project Fission is trying to resolve cross-origin leaks through site-isolation so maybe history needs to be part of that. For example, only style same-origin or same-"site" links as :visited, or double-key history and only show :visited if you've gone there from the current site.
[FWIW I didn't have much success with the attack.html testcase (on Mac) but svgattack.html was reliable enough in Firefox and Chrome.]
Comment 13•5 years ago
|
||
I changed the rating to match bug 1239897 and other variants.
Per bug 1239897 comment 15 this issue has been published by the author in a paper at https://www.spinda.net/papers/smith-2018-revisited.pdf and got some press attention at the time. Maybe it's time to unhide this bug.
Comment 14•5 years ago
|
||
For what is worth, I am looking into these at the moment in bug 1506842. We have several dupes of this bug, any preferences for which one should be the canonical?
Comment 15•5 years ago
|
||
I don't have a strong preference for which bug you pick, a weak preference for "oldest" (that fits anyway; bug 557579 is perhaps too prescriptive of the solution, but bug 1239897 might work). But if you're the one doing the work and you strongly prefer bug 1506842 that's fine too. My main concern is that the different bugs use different techniques to detect the timing differences, and that in duping them all we might not actually fix one of the cases (short of a solution that simply stops showing cross-origin visited links or some such). So I tend to prefer keeping these all as "depends on" so they get independently verified once they're marked FIXED.
Comment 16•5 years ago
|
||
I'm going through all our P1s. The other see also bugs related to this are P3, so I'm going to set this at the same priority. Emilio is actively working on it anyway.
Updated•5 years ago
|
Comment 17•5 years ago
|
||
Now that we triage by severity, setting priority to P1 to reflect backlog prioritization on this bug as either in-progress, or planned development in the near term. See https://wiki.mozilla.org/Platform/Layout#Backlog_Tracking_in_Bugzilla
Comment 18•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
Comment 19•4 years ago
|
||
My understanding is that bug 1632765 should've fixed this. The PoC no longer works.
Updated•4 years ago
|
Comment 20•4 years ago
|
||
The bounty committee believes this is a good testcase for a long-known issue, which was fixed in other independently reported bugs.
Updated•3 years ago
|
Updated•6 months ago
|
Description
•