Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136) from Tab Atkins Jr. via GitHub on 2020-06-01 (public-css-archive@w3.org from June 2020)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Mon, 01 Jun 2020 23:50:00 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-637185270-1591055399-sysbot+gh@w3.org>

Argh, exfiltrating numerics as described in <https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-636452209> is clever, and annoying. ^_^

Okay, I've given it some thought, and yeah, I don't see a reasonable way to do this besides an allowlist. Here's my sketch of an idea:

* on each [DocumentOrShadowRoot](https://dom.spec.whatwg.org/#mixin-documentorshadowroot), define a DOMTokenList of attribute names to expose. These are exposed on every element in that tree scope.
 * Allow a `"*"` token, to expose all attributes?
* Attributes whose name matches `data-css-*` (and/or if we can swing the HTML edit, `css-*`) are exposed by default.
* `content` on a pseudo-element still allows `attr(foo string)` for any attribute as a top-level value, for back-compat reasons. (*Not* nested into anything else.)

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-637185270 using your GitHub account

Received on Monday, 1 June 2020 23:50:02 UTC