[css-pseudo] Privacy considerations for external resources

[lilles]

The privacy and security section [1] talks about reading out computed style for ::spelling-error and ::grammar-error being a privacy issue.

1. I propose to add that loading external resources should be blocked. The currently allowed external resources are cursors, I think.

Consider:

<style>
  span::spelling-error { cursor: url(leakinfo), wait }
</style>
<span>WordInPersonalDictionary</span>

2. Add the ::target-text pseudo element to the list in that section

[1] https://drafts.csswg.org/css-pseudo-4/#highlight-security

[ByteEater-pl]

Just load it anyway, even if there are no errors initially.

[hober]

We should probably treat these like :visited.

[lilles]

We should probably treat these like :visited.

Yes, but unlike :visited it's not a problem to expose the styles via getComputedStyle() or computedStyleMap since the values from getComputedStyle(span, "::spelling-error") do not depend on whether there is a spelling error or not in the span.

[css-meeting-bot]

The CSS Working Group just discussed [css-pseudo] Privacy considerations for external resources.

The full IRC log of that discussion

<dael> Topic: [css-pseudo] Privacy considerations for external resources
<dael> github: https://github.com//issues/5731
<dael> TabAtkins: rune realized that the spec for spelling-error grammar-error and related pseudo has privacy bits about not detecting spelling dictionary
<hober> q+
<dael> TabAtkins: As written spec allows you to load a bg image which would allow trigger os spelling errors. He proposes we disallow loading of external resources for styling on spelling and grammar errors
<dael> florian: Existing definition of external resources?
<Rossen_> q
<dael> TabAtkins: Probably not one we can link to
<dael> TabAtkins: I think it's reasonable to gloss over for now
<dael> florian: Thinking of things like data urls. If there's an existing definition we can work from it would be nice
<jyasskin> q+
<Rossen_> ack hober
<dael> hober: We already have visited. We do a lot of restrictions on what can do on visited including loading of external resources. Why not limit in same way?
<dael> TabAtkins: I believe visited excludes loading other backgrounds. Okay witht hat restriction even if more than we need.
<jyasskin> q+ to mention Spectre
<dael> hober: I think consistency is valuable. Even if it's a little more it simplifies model
<dael> fantasai: Isn't visited underdefined
<dael> TabAtkins: Some of details yes but what properties is well defined.
<dael> fantasai: I think a lot of your ideas were in a PR we couldn't merge
<dael> TabAtkins: That was about how we apply them, not what properties
<florian> q?
<Rossen_> ack jyasskin
<Zakim> jyasskin, you wanted to mention Spectre
<dholbert> q+
<dael> jyasskin: Wanted to ask how much worrying about Specter which can detect color changes. I've heard about particioning visited whoch wouldn't work for spelling
<fantasai> TabAtkins, https://drafts.csswg.org/selectors-4/#link doesn't seem to have any details
<dael> florian: Both are fingerprinting risk but data from visited is more valuble. If it's easy to be consistent that's interesting. but more important to hide visited
<dael> s/Specter/Spectre
<dholbert> https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector is relevant (to the extent that it's accurate, which I think it is?)
<dael> florian: I'm saying it's related. We're less worried about the attack then on visited
<dael> florian: I think this is privacy sensitive only b/c fingerprinting. visited is privacy not just fingerprinting but the actual data. Protecting the data itself is relevent on visited. I don't think it is here.
<Rossen_> ack dholbert
<fantasai> s/more valuble/itself valuable independently of fingerprinting/
<dael> dholbert: I think visited restrictions could be problematic here. afaict it just limits you to properties that control colors and wouldn't allow add/remove underline which is main thing you want with spelling/grammar. It limits you to a couple properties and doesn't say you can't use external
<Rossen_> q?
<TabAtkins> Yeah, you're right fantasai, we don't actually have the list in the spec, I was misremembering
<dael> Rossen_: What do we do with this
<dael> fantasai: I think we can't align with visited. Current definition is the UA can do stuff to hide the visited-ness of the link. There's no details.
<dael> fantasai: We can be more precise here and say not loading external resources
<dael> fantasai: I can draft up wording what you can do stuff to preserve privacy such as not loading external resources and then we can have a more complete definition in the future that's general and we link to it
<dael> florian: wfm
<dael> Rossen_: Other opinions?
<dael> Rossen_: Is there a 1 line resolution we need?
<dael> Rossen_: Or continue in thread
<dael> hober: Depends on the text
<dael> fantasai: I'll draft up text and we can come back

[ArthurSonzogni]

Within ::spelling-error and ::grammar-error, the CSS property 'cursor' with the url(..) value would give a way to exfiltrate user's dictionnary.
I agree this value should be removed/ignored.

You said data-url might be an allowed exception. Are we sure there are no ways to know a data-url request was made?

1. Resource timing API: I did some local testing and also asked Yoav Weiss. Those are excluded.
2. Service worker: I believe from memory those are never allowed to serve a data-url.
3. The new performance.measureMemory(): It's a bit far fetched, but I guess some inference seems possible. Displaying the image would consume some memory.

Being able to customize the cursor for grammar errors seems a niche use case. Removing this shouldn't hurt, right?

[schenney-chromium]

Only a limited number of properties are allowed inside ::spelling and other highlight pseudos, and none of those properties can load external resources. Closing this issue as resolved. https://drafts.csswg.org/css-pseudo-4/#highlight-styling