- From: Pierre-Yves Gérardy via GitHub <sysbot+gh@w3.org>
- Date: Tue, 11 Feb 2020 16:37:36 +0000
- To: public-css-archive@w3.org
You still get a n^6 bang for your buck. That's a sweet payout. Contrast that with an iframe bomb that has a linear server cost. ``` b, b b, b b b, b b b b, b b b b b, b b b b b b { @nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & { @nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & { @nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & { @nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & { @nest & , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b & { }}}}} ``` Expands to a selector that is 1984790 characters long. ```JS [...Array(5)].map( ()=>'& , b &, b & b, b b & b, b b b & b , b b b b & b, b b b b b & b, b b b b b b &' ).reduce( (r, v) => v.replace(/&/g, `is(${r})`), 'b, b b, b b b, b b b b, b b b b b, b b b b b b' ).length // 1984790 ``` Even if assuming that this example can be handled smartly by the engine because of the repetition of the `b`, you'd lose that if the attacker uses variation of the pattern with distinct selectors. -- GitHub Notification of comment by pygy Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2881#issuecomment-584726666 using your GitHub account
Received on Tuesday, 11 February 2020 16:37:38 UTC