Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

It’d definitely break some files, we just don’t know how many. Maybe it’s few enough to be insignificant, maybe even by a lot. But this alone is not a sufficient reason to change mostly-interoperable behavior.

This thread has had no discussion of whether this proposal actually solves the problem it is trying to solve. Does a typical browser user’s filesystem not contain sensitive files that do not contain NULLs? Or even are entirely ASCII-printable? (Maybe a password database stored as JSON rather than SQLite?) Is there no exfiltration vector other than `<link rel=stylesheet>`? Should we also look for NULLs in the HTML and XML and JavaScript parsers? Or, in the other direction, is should this change be specifically about custom properties rather than tokenizer-level?

More than the actual proposal, I’m worried about how the discussion of it is going (or not going).

GitHub Notification of comment by SimonSapin
Please view or discuss this issue at using your GitHub account

Received on Tuesday, 10 July 2018 09:19:39 UTC