W3C home > Mailing lists > Public > public-css-archive@w3.org > July 2018

Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

From: Mike West via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Jul 2018 05:09:36 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-403702067-1531199375-sysbot+gh@w3.org>
(Since my earlier comment wasn't clear: I support the original proposal. `file:` documents requesting `file:` resources leads to the potential of data exfiltration along the lines of what Tab suggested. We've seen exactly that attack in the vaguely recent past, and hardening the CSS parser to crash and burn on `\0` seems quite reasonable to me. I'd be equally happy to follow @SimonSapin's suggestion of widening the ban to a larger set of control characters. :) )

GitHub Notification of comment by mikewest
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2757#issuecomment-403702067 using your GitHub account
Received on Tuesday, 10 July 2018 05:09:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:33 UTC