Re: [csswg-drafts] [css-values] Keylogging concerns for attr() value from Tab Atkins Jr. via GitHub on 2018-02-22 (public-css-archive@w3.org from February 2018)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Thu, 22 Feb 2018 00:43:19 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-367528462-1519260198-sysbot+gh@w3.org>

I think that requires full XSS power to do?  (As in, if you can insert arbitrary <link>s, you can already own the page.)  Unless @import is around, hmm.

Point stands - CSS is already in many ways as dangerous of an XSS vector as JS.  If you're allowing arbitrary CSS you're screwed.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2339#issuecomment-367528462 using your GitHub account

Received on Thursday, 22 February 2018 00:43:28 UTC