Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136) from Tab Atkins Jr. via GitHub on 2020-06-02 (public-css-archive@w3.org from June 2020)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Jun 2020 17:57:11 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-637710405-1591120630-sysbot+gh@w3.org>

"Based on origin" doesn't help, as we're wanting to defend against CSS injection, which makes the CSS first-party.

It's *probably* okay to allow most built-in HTML attributes to be used.  Sensitive attributes need to be blocked *in general* (from Selectors, too), but the rest are likely okay to expose by default, like `href` in your example.  But I think we still have to block data-* by default, and allowlist them in.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-637710405 using your GitHub account

Received on Tuesday, 2 June 2020 17:57:12 UTC