| Code-Review | -1 |
<link rel="help" href="https://w3c.github.io/mathml-core/#security-considerations">I guess this should be https://w3c.github.io/mathml-core/#privacy-considerations
but still I don't find where the behavior tested here is specified. Do you know where it is specified for HTML?
<a id="mathLink" href="">maybe add a comment that this points to the current file so it's visited.
<script src="/mathml/support/ahem-base64.js"></script>Inserting base64 does not look great.
How about you use
```
a:link > mspace { background: rgb(0, 0, 255); }
a:visited > mspace { background: rgb(255, 0, 0); }
```
and
```
<math xmlns="http://www.w3.org/1998/Math/MathML">
<a href=""><mspace width="200px" height="50px"></a>
</math>
```
maybe with extra tweak to make sure it fits the svg/canvas size.
<a href=""><mtext>X</mtext></a>maybe add a comment that this points to the current file so it's visited.
const imgData = ctx.getImageData(0, 0, 1, 1);testing this single pixel at coordinate (0,0) seems a bit fragile, for example if the math does not not perfectly fit into the SVG.
I would test the middle pixel at (100, 25) which is more likely to contain the mspace.
assert_equals(b, 255, "Blue channel must be 255 as specified in :link selector.");I think this does not work (see 3 of https://frederic-wang.fr/2025/02/21/five-testharness-dot-js-mistakes/).
What about this:
```
function tryGetImgData(sx, sy, sw, sh) {
try {
return ctx.getImageData(sx, sy, sw, sh).data;
} catch(e) {
return null;
}
}
let imgData = tryGetImgData(...);
if (imgData) {
// For browsers returning the data, check pixel color does not reveal :visited.
} else {
/ For browsers throwing, verify this is a security error.
assert_throws_dom("SecurityError", _ => tryGetImgData(...));
}
```
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
<link rel="help" href="https://w3c.github.io/mathml-core/#security-considerations">I guess this should be https://w3c.github.io/mathml-core/#privacy-considerations
but still I don't find where the behavior tested here is specified. Do you know where it is specified for HTML?
This behavior is specified in the css selectors spec[1] and MDN page [2]
[1] https://www.w3.org/TR/selectors-4/#link
[2] https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Selectors/Privacy_and_:visited
I didn't find related information in the html spec either.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
<link rel="help" href="https://w3c.github.io/mathml-core/#security-considerations">tannalI guess this should be https://w3c.github.io/mathml-core/#privacy-considerations
but still I don't find where the behavior tested here is specified. Do you know where it is specified for HTML?
This behavior is specified in the css selectors spec[1] and MDN page [2]
[1] https://www.w3.org/TR/selectors-4/#link
[2] https://developer.mozilla.org/en-US/docs/Web/CSS/Guides/Selectors/Privacy_and_:visitedI didn't find related information in the html spec either.
I updated the help link to css selector spec.
maybe add a comment that this points to the current file so it's visited.
Done
<script src="/mathml/support/ahem-base64.js"></script>Inserting base64 does not look great.
How about you use```
a:link > mspace { background: rgb(0, 0, 255); }
a:visited > mspace { background: rgb(255, 0, 0); }
```and
```
<math xmlns="http://www.w3.org/1998/Math/MathML">
<a href=""><mspace width="200px" height="50px"></a>
</math>
```maybe with extra tweak to make sure it fits the svg/canvas size.
Done
maybe add a comment that this points to the current file so it's visited.
Done
testing this single pixel at coordinate (0,0) seems a bit fragile, for example if the math does not not perfectly fit into the SVG.
I would test the middle pixel at (100, 25) which is more likely to contain the mspace.
Done
assert_equals(b, 255, "Blue channel must be 255 as specified in :link selector.");I think this does not work (see 3 of https://frederic-wang.fr/2025/02/21/five-testharness-dot-js-mistakes/).
What about this:
```
function tryGetImgData(sx, sy, sw, sh) {
try {
return ctx.getImageData(sx, sy, sw, sh).data;
} catch(e) {
return null;
}
}let imgData = tryGetImgData(...);
if (imgData) {
// For browsers returning the data, check pixel color does not reveal :visited.
} else {
/ For browsers throwing, verify this is a security error.
assert_throws_dom("SecurityError", _ => tryGetImgData(...));
}
```
Done
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Code-Review | +0 |
<link rel="help" href="https://drafts.csswg.org/selectors-4/#link">OK, as I read this is just a suggested approach, but I guess if all browsers are doing that it is fine.
color: rgb(255, 0, 0) !important;Why !important?
"The computed style of :visited MathML 'a' element must be masked to protect user history privacy.");I think this description does not bring more information, so I would remove it.
a:link > mspace { background: rgb(0, 0, 255); }In a previous patch, you mentioned that the color of link is a special blue (let's say purple?), but I would use something that is not blue to make clear this selector is applied.
assert_equals(b, 255, "Blue channel must be 255 as specified in :link selector.");It's a bit weird to test each channel individually, as at the end we'll have a single background color applied, so I would just do
`assert_array_equals(imgData, [...], "Background color should apply style from :link but not from :visited.");`
If you want, you can also use two independent properties like :link { background-color: ... } and :visited { opacity: .5; } so it's clear whether none, one or two of them is applied.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Using :any-link instead of :link is because :any-link is applied independent of whether it has been visited or not.
While :link is applied when the href is not visited.
Despite sometimes :link and :visited applied at the same time in chrome and firefox, not sure why.
If you change the :any-link to :link in the anchor-visited-privacy.html, it will show red text with a green background in the page.
I'm not sure if it's a bug.
<link rel="help" href="https://drafts.csswg.org/selectors-4/#link">OK, as I read this is just a suggested approach, but I guess if all browsers are doing that it is fine.
Acknowledged
color: rgb(255, 0, 0) !important;tannalWhy !important?
Hmm, it's a mistake.
Should be removed.
Good catch
"The computed style of :visited MathML 'a' element must be masked to protect user history privacy.");I think this description does not bring more information, so I would remove it.
Done.
In a previous patch, you mentioned that the color of link is a special blue (let's say purple?), but I would use something that is not blue to make clear this selector is applied.
I changed the default style (:any-link) to green.
assert_equals(b, 255, "Blue channel must be 255 as specified in :link selector.");It's a bit weird to test each channel individually, as at the end we'll have a single background color applied, so I would just do
`assert_array_equals(imgData, [...], "Background color should apply style from :link but not from :visited.");`
If you want, you can also use two independent properties like :link { background-color: ... } and :visited { opacity: .5; } so it's clear whether none, one or two of them is applied.
Seems like the :visited selector has some restrictions on what properties can used in the css rule. [1]
Opacity is not allowed in :visited selector.
I'll stick to the background color for both :visited and :any-link.
Again changed :any-link's background-color to green.
[1] https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Selectors/:visited#privacy_restrictions
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
assert_equals(b, 255, "Blue channel must be 255 as specified in :link selector.");tannalIt's a bit weird to test each channel individually, as at the end we'll have a single background color applied, so I would just do
`assert_array_equals(imgData, [...], "Background color should apply style from :link but not from :visited.");`
If you want, you can also use two independent properties like :link { background-color: ... } and :visited { opacity: .5; } so it's clear whether none, one or two of them is applied.
Seems like the :visited selector has some restrictions on what properties can used in the css rule. [1]
Opacity is not allowed in :visited selector.
I'll stick to the background color for both :visited and :any-link.
Again changed :any-link's background-color to green.
[1] https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Selectors/:visited#privacy_restrictions
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
For the canvas test, render a SVG image containing a mathml a element into canvas,
then verify that the :visited selector is not applied in the canvas result.
For the dom test, we check the :visited rule can't be queried by getComputedStyle.Use the "Format" button.
<head>`<head>` and `<body>` can be removed.
function tryGetImgData(sx, sy, sw, sh) {
try {
return ctx.getImageData(sx, sy, sw, sh).data;
} catch (e) {
return null;
}
}I'd just combine this with the if-else below. I think that will make the test more obvious.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
function tryGetImgData(sx, sy, sw, sh) {
try {
return ctx.getImageData(sx, sy, sw, sh).data;
} catch (e) {
return null;
}
}I'd just combine this with the if-else below. I think that will make the test more obvious.
As I previously mentioned, assert_* functions are throwing exceptions when the assertion fails, so we should avoid placing them in a try { } catch { } block.
Probably a comment should be added to explain that.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
function tryGetImgData(sx, sy, sw, sh) {
try {
return ctx.getImageData(sx, sy, sw, sh).data;
} catch (e) {
return null;
}
}Frédéric Wang NélarI'd just combine this with the if-else below. I think that will make the test more obvious.
As I previously mentioned, assert_* functions are throwing exceptions when the assertion fails, so we should avoid placing them in a try { } catch { } block.
Probably a comment should be added to explain that.
Acknowledged
For the canvas test, render a SVG image containing a mathml a element into canvas,
then verify that the :visited selector is not applied in the canvas result.
For the dom test, we check the :visited rule can't be queried by getComputedStyle.tannalUse the "Format" button.
Done
`<head>` and `<body>` can be removed.
Done
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Code-Review | +1 |
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Exportable changes to web-platform-tests were detected in this CL and a pull request in the upstream repo has been made: https://github.com/web-platform-tests/wpt/pull/61082.
When this CL lands, the bot will automatically merge the PR on GitHub if the required GitHub checks pass; otherwise, ecosystem-infra@ team will triage the failures and may contact you.
WPT Export docs:
https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md#Automatic-export-process
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Commit-Queue | +2 |
Add privacy enforcement tests for mathml anchor element
For the canvas test, render a SVG image containing a mathml a element
into canvas, then verify that the :visited selector is not applied in
the canvas result.
For the dom test, we check the :visited rule can't be queried by
getComputedStyle.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
The WPT PR for this CL has been merged upstream! https://github.com/web-platform-tests/wpt/pull/61082
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |