- From: Pierre-Yves Gérardy via GitHub <sysbot+gh@w3.org>
- Date: Tue, 11 Feb 2020 16:37:36 +0000
- To: public-css-archive@w3.org
You still get a n^6 bang for your buck. That's a sweet payout.
Contrast that with an iframe bomb that has a linear server cost.
```
b, b b, b b b, b b b b, b b b b b, b b b b b b {
@nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & {
@nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & {
@nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & {
@nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & {
@nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & {
}}}}}
```
Expands to a selector that is 1984790 characters long.
```JS
[...Array(5)].map(
()=>'& , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b &'
).reduce(
(r, v) => v.replace(/&/g, `is(${r})`),
'b, b b, b b b, b b b b, b b b b b, b b b b b b'
).length // 1984790
```
Even if assuming that this example can be handled smartly by the engine because of the repetition of the `b`, you'd lose that if the attacker uses variation of the pattern with distinct selectors.
--
GitHub Notification of comment by pygy
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2881#issuecomment-584726666 using your GitHub account
Received on Tuesday, 11 February 2020 16:37:38 UTC