As the web gets increasingly competent, designers can make more extravagant online encounters. There are times, be that as it may, where some new web abilities may not function as you would expect in light of a legitimate concern for ease of use, security and protection.
I have run into circumstances like this. Like sluggish stacking in HTML. It's not difficult to drop that characteristic onto a picture component just to acknowledge… it very more than that to do its thing. We'll get into that particular one in a second as we take a gander at a couple of different highlights that probably won't work precisely as you'd anticipate.
This impediment has been around for some time, yet it shows how program highlights can be abused. One potential adventure is an anchor gets a few :visited connect style in CSS and is situated off screen. With the off-screen anchor, one could utilize JavaScript to change the anchor's href worth and check whether a specific href makes the connection seem visited—reproducing a client's set of experiences simultaneously.
Known as the CSS History Leak, this was so unavoidable at one time that the Federal Trade Commission, the United States' customer insurance organization, had forced unforgiving fines for misusing it.
Nowadays, endeavoring to utilize getComputedStyle on a :visited interface returns the style of the unvisited (:connect) connect all things considered. That is only something you need to know since that is not the same as how it instinctively should function.
There are two approaches ways you could try to get around this, but neither of them are possible.
- make the visited link’s style trigger a side effect (e.g. a layout shift), or
- leverage the sibling (~ or +) or child (>) CSS selectors to render another style.
Regarding side effects, while there are some clever yet fragile ways to do this, the options we have for styling :visited links are limited and some styles (like background-color) will only work if they’re applied to unvisited links. As for using a sibling or child, executing getComputedStyle on these returns the style as if the link wasn’t visited to begin with.
Browsers don’t cache assets across sites anymore
One advantage of a CDN was that they allowed for a particular resource (like Google Fonts) to be cached in the browser for use across different websites. While this does provide a big performance win, it has grave privacy implications.
Given that an asset that’s already cached will take longer to load than one that’s not, a site could perform a timing attack to not only see your site history but also expose both who you are and your online activity. Jeff Kaufman gives an example:
"Unfortunately, a shared cache enables a privacy leak. Summary of the simplest version:
- I want to know if you’re a moderator on www.forum.example.
- I know that only pages under load www.forum.example/moderators/header.css.
- When you visit my page I load www.forum.example/moderators/header.css and see if it came from cache.
In light of this, browsers don’t offer this anymore.
performance.now() may be inaccurate
A scary group of vulnerabilities came out as couple of years ago, one of which was called Spectre. For an in depth explanation, see Google’s leaky.page (works best in Chromium) as a proof of concept. But for the purposes of this article, just know that the exploit relies on getting highly accurate timing, which is something that performance.now() provides, to try and map sensitive CPU data.
To mitigate Spectre, browsers have reduced its accuracy and may add noise as well. These range from 20ÎĽs to 1ms and can be changed based on various conditions like HTTP headers and browser settings.
Lazy loading with the loading attribute doesn’t work without JavaScript
Lazy loading is a technique where assets are only loaded in the browser when it scrolls into the viewport. Until recently, we could only implement this in JavaScript using IntersectionObserver or onscroll. Except for Safari, we can apply the loading attribute to images and iframes (in Chromium) and the browser will handle lazy loading.
Being able to do this in HTML makes it sound like the attribute doesn’t require JavaScript at all, but it does. From the WHATWG spec:
"If scripting is disabled for an element, return false.
Note
This is an anti-tracking measure, because if a user agent supported lazy loading when scripting is disabled, it would still be possible for a site to track a user’s approximate scroll position throughout a session, by strategically placing images in a page’s markup such that a server can track how many images are requested and when.
I’ve seen articles mention that this attribute is how you support lazy loading “without JavaScript” which isn’t true, though it is true you don’t have to write any.
Browsers can limit features based on user preferences
Some users might opt to heavily restrict browser functionality in the interest of further security and privacy. Firefox and Tor are two browsers that do this through the resist fingerprint setting which does things like reducing the precision of certain variables (dimensions and time), omitting certain variables entirely, limiting or disabling some Web APIs and never matching media queries. WebKit has a document outlining how browsers can approach fingerprint resistance.
Note that this goes beyond the standard anti-tracking features that browsers implement. It’s unlikely that a user will enable this as they would need a very specific threat model to do so. Part of this can be countered with progressive enhancement, graceful degradation, and understanding your users. This limitation is a big issue when you actually need fingerprinting, like fraud detection. So, if it’s absolutely necessary, look for an alternative means.
Screen readers might not relay the semantics of certain elements
Semantic HTML is great for many reasons, most notably that it conveys meaning in markup that software, like screen readers, interpret and announce to users who rely on them to navigate the web. It’s essential for crafting accessible websites. But, at times, those semantics aren’t conveyed—at least how you might expect. Something might be accessible, but still have usability issues.
An example is the way removing a list’s markers removes its semantic meaning in WebKit with VoiceOver enabled. It’s a very common pattern, most notably for site navigation. Apple Accessibility Standards Manager James Craig explains why it’s a usability issue, though, citing the W3C’s Design Principle of Priority of Constituents:
In case of conflict, consider users over authors over implementors over specifiers over theoretical purity. In other words costs or difficulties to the user should be given more weight than costs to authors;
Another case where semantics might not be relayed is with emphasis. Take inline elements like strong, em, mark, ins, del, and data—all elements that have semantic meanings, but are unlikely to be read out because they can get noisy. This can be changed in a user’s screenreader’s settings, but if you really want it to be read you can declare it in visually hidden in the content property of either a :before or :after pseudo-element.
Unlike VoiceOver, NVDA reads out some of the semantic elements (del, ins and mark) and tries to emphasize text by gradually increasing the volume of emphasized text. Both of them have no trouble reading out the :before/:after psudo-elements however. Also, VoiceOver read out the tag’s brackets (greater than, less than), though both screenreaders have the ability to change how much punctuation is read.
To see whether or not you need to emphasize the emphasis, make sure you test with your users and see what they need. I didn’t focus on the visual aspect but the default styling of emphasis elements may be inconsistent across browsers, so make sure you provide suitable styling to go along with it.
Web storage might not be persistent
The WHATWG Web storage specification includes a section on privacy that outlines possible ways to prevent storage from being a tracking vector. One such way is to make the data expire. This is why Safari controversially limits script writable storage for seven days. Note that this doesn’t apply to “installed” websites added to the home screen.
#viastudy
.gif)
0 Comments