search

w3c / fxtf-drafts

Mirror of https://hg.fxtf.org/drafts
https://drafts.fxtf.org/
Other
71 stars 50 forks source link

[compositing] mix-blend-mode circumvents browsing history privacy protection #18

Open zcorpan opened 8 years ago

zcorpan commented 8 years ago

https://drafts.fxtf.org/compositing-1/#mix-blend-mode

'mix-blend-mode' appears to enable bypassing the browsing history protection browsers have for :visited.

Since it is possible for style sheet authors to abuse the :link and :visited pseudo-classes to determine which sites a user has visited without the user’s consent, UAs may treat all links as unvisited links or implement other measures to preserve the user’s privacy while rendering visited and unvisited links differently.

https://drafts.csswg.org/selectors/#link

(The measure commonly implemented I believe is to only allow foreground and background colors to be changed, and getComputedStyle returns the :link style.)

See https://lcamtuf.blogspot.se/2016/08/css-mix-blend-mode-is-bad-for-keeping.html by @lcamtuf and http://lcamtuf.coredump.cx/whack/ for a demo of the attack.

As far as I can tell, you don't even need the user to actually click. Using CSSOM View document.elementFromPoint(x, y) appears to work just as well.

I suppose this has to do with the used color somehow affecting hit testing (which we haven't defined)?

cc @cabanier @nikosandronikos @fantasai @tabatkins

AmeliaBR commented 8 years ago

@zcorpan Can you give more details about document.elementFromPoint(x, y) being affected by the computed alpha or color from blending? That shouldn't be happening.

This attack (in the demo) works by encouraging users to click on visibly distinct portions of the screen. I've seen similar demo attacks that use a fake CAPTCHA (with each letter being a link, and :visited styles causing some letters to be masked into the background) and ask the user to type what they see.

In other words, so long as any :visited styles can change the appearance of links, users can be tricked into giving away information about which links they have visited. Trying to solve this problem by limiting which styles can apply will always be imperfect.

The solution I mused about on Twitter is for user agents to not apply :visited styles on cross-origin links, possibly with whitelists for trusted domains such as the user's default search engines. Jake Archibald suggested that referrer domains could also be allowed, since the current website already has information about the referrer.

zcorpan commented 8 years ago

Ah I misunderstood how the demo worked. Ok ignore the bit about elementFromPoint

nikosandronikos commented 8 years ago

That's very creative and clever. It will be difficult to avoid without some drastic changes. The fact it relies on the user clicking the right area, and there's the potential for the user to click anywhere and submit incorrect information is a small saving grace.

As Amelia said, :visited as it is now is generally problematic and I think it needs some approach at the platform level to fix. There's not much we can do to mix-blend-mode specifically to avoid this that wouldn't be awfully hacky (e.g. making things with a :visited style isolated).

I feel that maybe browsers should move highlighting of visited links into an internal feature, where the user presses a hotkey and all visited links are highlighted somehow.

Also, I wonder if it's worth browsers displaying a warning for pages that have thousands of distinct URLs.

cabanier commented 8 years ago

Since this is not an issue specific to blend mode, we should close this bug, open a new one to deal with this general security issue and continue the discussion there.