New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[compositing] mix-blend-mode circumvents browsing history privacy protection #18

Open
zcorpan opened this Issue Aug 11, 2016 · 4 comments

Comments

Projects
None yet
4 participants
@zcorpan
Copy link
Member

zcorpan commented Aug 11, 2016

https://drafts.fxtf.org/compositing-1/#mix-blend-mode

'mix-blend-mode' appears to enable bypassing the browsing history protection browsers have for :visited.

Since it is possible for style sheet authors to abuse the :link and :visited pseudo-classes to determine which sites a user has visited without the user’s consent, UAs may treat all links as unvisited links or implement other measures to preserve the user’s privacy while rendering visited and unvisited links differently.

https://drafts.csswg.org/selectors/#link

(The measure commonly implemented I believe is to only allow foreground and background colors to be changed, and getComputedStyle returns the :link style.)

See https://lcamtuf.blogspot.se/2016/08/css-mix-blend-mode-is-bad-for-keeping.html by @lcamtuf and http://lcamtuf.coredump.cx/whack/ for a demo of the attack.

As far as I can tell, you don't even need the user to actually click. Using CSSOM View document.elementFromPoint(x, y) appears to work just as well.

I suppose this has to do with the used color somehow affecting hit testing (which we haven't defined)?

cc @cabanier @nikosandronikos @fantasai @tabatkins

@AmeliaBR

This comment has been minimized.

Copy link

AmeliaBR commented Aug 11, 2016

@zcorpan Can you give more details about document.elementFromPoint(x, y) being affected by the computed alpha or color from blending? That shouldn't be happening.

This attack (in the demo) works by encouraging users to click on visibly distinct portions of the screen. I've seen similar demo attacks that use a fake CAPTCHA (with each letter being a link, and :visited styles causing some letters to be masked into the background) and ask the user to type what they see.

In other words, so long as any :visited styles can change the appearance of links, users can be tricked into giving away information about which links they have visited. Trying to solve this problem by limiting which styles can apply will always be imperfect.

The solution I mused about on Twitter is for user agents to not apply :visited styles on cross-origin links, possibly with whitelists for trusted domains such as the user's default search engines. Jake Archibald suggested that referrer domains could also be allowed, since the current website already has information about the referrer.

@zcorpan

This comment has been minimized.

Copy link
Member Author

zcorpan commented Aug 11, 2016

Ah I misunderstood how the demo worked. Ok ignore the bit about elementFromPoint

@nikosandronikos

This comment has been minimized.

Copy link
Contributor

nikosandronikos commented Aug 12, 2016

That's very creative and clever. It will be difficult to avoid without some drastic changes.
The fact it relies on the user clicking the right area, and there's the potential for the user to click anywhere and submit incorrect information is a small saving grace.

As Amelia said, :visited as it is now is generally problematic and I think it needs some approach at the platform level to fix. There's not much we can do to mix-blend-mode specifically to avoid this that wouldn't be awfully hacky (e.g. making things with a :visited style isolated).

I feel that maybe browsers should move highlighting of visited links into an internal feature, where the user presses a hotkey and all visited links are highlighted somehow.

Also, I wonder if it's worth browsers displaying a warning for pages that have thousands of distinct URLs.

@cabanier

This comment has been minimized.

Copy link
Member

cabanier commented Aug 16, 2016

Since this is not an issue specific to blend mode, we should close this bug, open a new one to deal with this general security issue and continue the discussion there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment