Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

I believe that an HTTP(S) document would not be allowed to fetch a `file:` URL at all, but I couldn’t find that being specified. Can someone confirm either way?

At least, such a request would be cross-origin. Per, a cross-origin stylesheet is not applied to the document if it does not have an appropriate `Content-Type`.

Same-origin resources are not relevant here since they can be fetched with `XMLHttpRequest` anyway.

So the problem this proposal is trying to solve is: protecting against exfiltration of a cross-origin resource that is not intended to be CSS but still served as `text/css`. Regardless of whether this is a problem worth solving in the first place, we cannot know intentions for sure so at best we can guess with a heuristic.
We could imagine many different heuristics for “might not be intended as CSS syntax”. Using presence of U+0000 seems very arbitrary. What about other control code points? (U+0001 to U+001F except whitespace). Assuming UTF-8 decoding, what about 0xFF bytes? Or other byte sequences that are not well-formed UTF-8 and decoded as U+FFFD at that layer?

For any given heuristic, what is the risk of false positive? Even if there is no useful reason to deliberately make a stylesheet that contains { nulls, controls, 0xFF, ill-formed UTF-8, whatever }, is the reduction of exfiltration risk worth breaking real stylesheets where it happens accidentally?

GitHub Notification of comment by SimonSapin
Please view or discuss this issue at using your GitHub account

Received on Monday, 2 July 2018 11:12:53 UTC