+34
-2
lines changedFilter options
+34
-2
lines changed Original file line number Diff line number Diff line change
@@ -982,4 +982,20 @@ Additions to Level 2</h3>
982 982
<h2 class="no-num" id="priv-sec">
983 983
Privacy and Security Considerations</h2>
984 984 985 -
Issue: Something about ''@import'', since it's linking to other documents?
985 +
* The cascade process does not distinguish between same-origin and cross-origin stylesheets,
986 +
enabling the content of cross-origin stylesheets to be inferred
987 +
from the computed styles they apply to a document.
988 + 989 +
* User preferences and UA defaults expressed via application of style rules
990 +
are exposed by the cascade process,
991 +
and can be inferred from the computed styles they apply to a document.
992 + 993 +
* The ''@import'' rule does not apply the [=CORS protocol=] to loading cross-origin stylesheets,
994 +
instead allowing them to be freely imported and applied.
995 + 996 +
* The ''@import'' rule assumes that resources without <a href="https://html.spec.whatwg.org/multipage/infrastructure.html#content-type"><code>Content-Type</code> metadata</a>
997 +
(or any same-origin file if the host document is in quirks mode)
998 +
are <code>text/css</code>,
999 +
potentially allowing arbitrary files to be imported into the page
1000 +
and interpreted as CSS,
1001 +
potentially allowing sensitive data to be inferred from the computed styles they apply to a document.
Original file line number Diff line number Diff line change
@@ -1073,4 +1073,20 @@ Additions to Level 2</h3>
1073 1073
<h2 id=priv-sec>
1074 1074
Privacy and Security Considerations</h2>
1075 1075 1076 -
Issue: Something about ''@import'', since it's linking to other documents?
1076 +
* The cascade process does not distinguish between same-origin and cross-origin stylesheets,
1077 +
enabling the content of cross-origin stylesheets to be inferred
1078 +
from the computed styles they apply to a document.
1079 + 1080 +
* User preferences and UA defaults expressed via application of style rules
1081 +
are exposed by the cascade process,
1082 +
and can be inferred from the computed styles they apply to a document.
1083 + 1084 +
* The ''@import'' rule does not apply the [=CORS protocol=] to loading cross-origin stylesheets,
1085 +
instead allowing them to be freely imported and applied.
1086 + 1087 +
* The ''@import'' rule assumes that resources without <a href="https://html.spec.whatwg.org/multipage/infrastructure.html#content-type"><code>Content-Type</code> metadata</a>
1088 +
(or any same-origin file if the host document is in quirks mode)
1089 +
are <code>text/css</code>,
1090 +
potentially allowing arbitrary files to be imported into the page
1091 +
and interpreted as CSS,
1092 +
potentially allowing sensitive data to be inferred from the computed styles they apply to a document.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4