W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2017

Re: [csswg-drafts] [css-contain] Security/Privacy considerations of css-contain misuse?

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Mon, 15 May 2017 19:17:27 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-301575939-1494875846-sysbot+gh@w3.org>
@astearns There is nothing new in Contain that needs to be called out.  All of the functions you call out can be accomplished with existing CSS properties.  None of the specs that define those other properties call these functions out specially, because there's no real need to; the abilities are essentially "format the page", which is CSS's core remit.

@dbaron Yeah, that's legit. Contain's intrinsically local effects do not, I believe, require any special attention in this regard; the worst it can do is mess up your own HTML.  (Assuming that you're restricted to posting only `style` attributes or similarly localized CSS; if you can give page-global CSS that isn't sanitized with a careful whitelist, the page is already pwned in general.)

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1376#issuecomment-301575939 using your GitHub account
Received on Monday, 15 May 2017 19:17:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 10:12:53 UTC