On Wed, 16 Apr 2008 22:49:30 +0200, Travis Leithead <[EMAIL PROTECTED]> wrote:
However, I recently decided to keep the Selectors API behavior the same because 1) we have had no customer-reported problems/feedback on the current mitigation, and 2) I'd like to make IE8 just that much more secure. (On reason #1, I concede that this is a Beta, and the Selectors API has not had large public adoption as of yet.)
How is it more secure though? You can still get the same information using currentStyle... Or using #google-com:visited { background:url(tracker?google-com) } or something like that.
The current mitigation does exclude the ability to retrieve a list of links. However, I'm sure I don't have to remind you folks that for this scenario, there's already an excellent pre-established list of links off of the document [1]. The only thing you're not getting is the subset of links that the user has visited, and while there are use-cases for styling said list, the exploitation of this list for destructive purposes is a reality that I don’t think a good security-minded browser should ignore.
document.links doesn't return <area>, <link>, <svg:a>, etc. document.links also doesn't allow selectors like
:link > span, :visited > span etc. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
