Re: [csswg-drafts] [css-contain] Security/Privacy considerations of css-contain misuse?

@astearns There is nothing new in Contain that needs to be called out.  All of the functions you call out can be accomplished with existing CSS properties.  None of the specs that define those other properties call these functions out specially, because there's no real need to; the abilities are essentially "format the page", which is CSS's core remit.

@dbaron Yeah, that's legit. Contain's intrinsically local effects do not, I believe, require any special attention in this regard; the worst it can do is mess up your own HTML.  (Assuming that you're restricted to posting only `style` attributes or similarly localized CSS; if you can give page-global CSS that isn't sanitized with a careful whitelist, the page is already pwned in general.)

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1376#issuecomment-301575939 using your GitHub account

Received on Monday, 15 May 2017 19:17:37 UTC