Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

To be clear my mentioning control characters was an attempt to show how arbitrary an heuristic it is to look for U+0000 *or* some other set of code points, not an actual proposal.

I think that the CSS tokenizer is the wrong layer to fix this. If the concern is for example with `file:///C:/Users/me/Downloads/evil.html` requesting `file:///C:/Users/Me/AppData/GoogleChrome/passwords.sqlite`, wouldn’t a heuristic based on URLs be better? For example going "up" a directory, or going through a directory that the OS considers hidden.

GitHub Notification of comment by SimonSapin
Please view or discuss this issue at using your GitHub account

Received on Tuesday, 10 July 2018 05:28:21 UTC