CSS Conditional Rules Module 3

[sandandsnow]

Privacy review requested by the CSS WG on 1 October 2020.

Link to spec: https://drafts.csswg.org/css-conditional-3/

Background:

This module contains the features of CSS for conditional processing of parts of style sheets, conditioned on capabilities of the processor or the document to which the style sheet is being applied.

The main extensions compared to CSS level 2 are allowing nesting of certain at-rules inside@media (https://drafts.csswg.org/css-conditional-3/#at-ruledef-media), and the addition of the@supports (https://drafts.csswg.org/css-conditional-3/#at-ruledef-supports) rule for conditional processing.

The specification has been at CR since 2013

• https://www.w3.org/TR/css3-conditional/
• https://lists.w3.org/Archives/Member/chairs/2013JanMar/0130.html

but due to the long interval since that time, CSS WG is restarting wide review before publishing a Candidate Recommendation Snapshot.

The WG advises that the specification is widely implemented. They expect to meet the CR exit requirements in the next few months.

Links and other review information:

Privacy and security considerations section: https://drafts.csswg.org/css-conditional-3/#priv-sec

Answers to the Self-Review Questionnaire: Security and Privacy: w3c/csswg-drafts#5567

Changes since 2013 CR: https://drafts.csswg.org/css-conditional-3/#changes

The WG has advised that they would prefer responses and discussion to happen on that issue, but invited us to open other issues on that GitHub for any substantive issues discovered.

Review to be discussed on PING call on 15 October 2020.

Go to https://github.com/w3cping/tracking-issues/issues to track the progress of any issues raised as a result of the privacy review.

[sandandsnow]

Update - review to be discussed on PING call on 5 November 2020

[sandandsnow]

Update - review to be discussed on PING call on 19 November 2020

[jyasskin]

I posted my review to the PING Slack, but it hasn't been fully discussed or endorsed yet. My thoughts are:

The https://drafts.csswg.org/css-conditional-3/ CR is pretty solid from a privacy perspective. They’ve got a good Privacy and Security Considerations section that calls out two things:

1. Most of the privacy impact is actually in the Media Queries spec, which I believe hasn’t gone through broad review yet. That exposes a several of platform details that could be useful for fingerprinting.
2. It’s possible that a UA would expose knobs that control what the @supports rule answers, and if a user tweaks those knobs, they could make themself fingerprintable. The spec does say that preferences like “force my colors to high contrast” should not affect the @supports answer for ‘color’, even if they make that property have no effect. The one possible improvement I thought of was to have the spec suggest that UAs tell users when they’re changing a setting that will change a @supports answer.

[sandandsnow]

The CSS WG issued a call for wide review on 8 December 2020

[sandandsnow]

This privacy review was discussed at the PING call on 19 November 2020