add privacy concern, fix w3c#437

svgeesus · svgeesus · commit 5e6ad4579956 · 2021-09-20T13:35:05.000+03:00
diff --git a/css-masking-1/Overview.bs b/css-masking-1/Overview.bs
@@ -1273,6 +1273,8 @@ It is important that the timing to the masking operations is independent of the
 
 A timing attack is a method of obtaining information about content that is otherwise protected, based on studying the amount of time it takes for an operation to occur. If, for example, red pixels took longer to draw than green pixels, one might be able to reconstruct a rough image of the element being rendered, without ever having access to the content of the element.
 
+While CSS capabilities like those defined in this module can be used to hide content from a site visitor, Web developers should not use these features to hide <em>sensitive</em> content from users or page scripts. Content that is hidden from a user's display via CSS can still be accessed and read from page scripts or form submissions. Web developers should treat the capabilities in this spec (as with all CSS specs) as cosmetic changes only, and not imposing or defending a privacy boundary.
+
 
 # Security Considerations # {#sec}
 
