W3C home > Mailing lists > Public > public-css-archive@w3.org > July 2018

Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

From: Simon Sapin via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Jul 2018 09:19:36 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-403757571-1531214365-sysbot+gh@w3.org>
It’d definitely break some files, we just don’t know how many. Maybe it’s few enough to be insignificant, maybe even by a lot. But this alone is not a sufficient reason to change mostly-interoperable behavior.

This thread has had no discussion of whether this proposal actually solves the problem it is trying to solve. Does a typical browser user’s filesystem not contain sensitive files that do not contain NULLs? Or even are entirely ASCII-printable? (Maybe a password database stored as JSON rather than SQLite?) Is there no exfiltration vector other than `<link rel=stylesheet>`? Should we also look for NULLs in the HTML and XML and JavaScript parsers? Or, in the other direction, is should this change be specifically about custom properties rather than tokenizer-level?

More than the actual proposal, I’m worried about how the discussion of it is going (or not going).

-- 
GitHub Notification of comment by SimonSapin
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2757#issuecomment-403757571 using your GitHub account
Received on Tuesday, 10 July 2018 09:19:39 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 19 September 2019 01:18:59 UTC