Address information leak of :visited styles and disclosure of shadow DOM contents

[arturjanc]

To combat the disclosure of the user's browsing history via styling anchors using the CSS :visited pseudoselector, user agents lie to scripts by always returning unvisited link style information when a script attempts to read the style of a link element (see https://dbaron.org/mozilla/visited-privacy). The inability to obtain the real color with which the link is rendered prevents the page from learning if a user had visited a given URL.

If markup can be rendered as part of a VideoTrack (e.g. as part of a subtitle or caption) and the page can use the captureStream() method to get a stream of bytes corresponding to the content rendered on the user's screen, the page will be able to learn the real color with which a link is rendered. This would undermine the current fix which prevents browsing history from being disclosed to the page. I'm not sure if this is currently possible due to restrictions on markup which can be used as part of subtitles or captions (i.e. I don't know if VTT or other caption formats support links), but it's still a concern if caption formats are expanded in the future.

In a somewhat separate but related concern, native browser UI elements may be rendered as a result of the user interacting with a form field (e.g. a password input, or form autofill tools). If such markup is present as part of a text track in a stream, and if contents of the shadow DOM make it into the stream captured by the Media Capture APIs, it could allow a page to obtain information it otherwise couldn't access.

Perhaps this is worth a note somewhere in the Security section?

[alvestrand]

I'm not quite certain about the mechanics of this issue. Could you clarify? Capturing screen content from a

[arturjanc]

I'm not quite certain about the mechanics of this issue. Could you clarify?

If a <video> element contains a <track kind="subtitles"> and that subtitle track adds a subtitle with HTML markup, would the MediaStream returned by captureStream() on the video element include the text of the subtitles?

If yes, and if the subtitle markup contained a link (which, again, I'm not sure if current implementations support), would the color of the link inside the MediaStream correspond to the actual color the user sees, or to the color reported by LinkElement.style.color (which maybe be purposefully different than what the user sees to prevent the :visited infoleak)?

Basically, my concern is that because browsers prevent scripts from obtaining some information about what the page actually looks like (e.g. the real color with which a link is rendered), then an API which returned a MediaStream of the pixels displayed on the user's screen as a result of rendering a DOM element (e.g. <video>) might need to take this into account and prevent the exposure of such information.

It's definitely possible that I'm misunderstanding the API though, so if it's not susceptible to this problem, it would be good to know, and possibly make this explicit in the spec.

[dontcallmedom]

I don't believe there is any way for HTML Video elements to display links, so I don't think there is any risk of leaking history info via this API.