W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 08 Dec 2009 07:55:56 -0800
Cc: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-id: <5BFFEE31-BFAB-4957-8B99-DDC677578447@apple.com>
To: David Lindsay <thornmaker@gmail.com>

On Dec 8, 2009, at 7:43 AM, David Lindsay wrote:

> On Tue, Dec 8, 2009 at 10:07, Maciej Stachowiak <mjs@apple.com> wrote:
>
>> Another possibility is to specifically blacklist the use of the  
>> contents of
>> the "value" attribute in attribute selectors for elements in the HTML
>> namespace. Either all elements, or specifically input elements, or  
>> more
>> specifically input elements of type password or hidden.
>> I think that is better than making attribute selectors not work  
>> with those
>> elements at all. People validly use attribute selectors on form  
>> controls
>> based on the "type" attribute to style them.
>> Regards,
>> Maciej
>>
>
> Are there any legitimate use cases for selecting an element based on
> the value attribute?  I think some solution like this is the direction
> we should be looking.

Maybe based on *presence* of the value attribute (i.e. [value]) but I  
cannot think of any valid use cases based on contents of the value  
attribute ([value*=a]).

Regards,
Maciej
Received on Tuesday, 8 December 2009 15:56:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT