W3C home > Mailing lists > Public > public-css-archive@w3.org > June 2020

Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Jun 2020 17:57:11 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-637710405-1591120630-sysbot+gh@w3.org>
"Based on origin" doesn't help, as we're wanting to defend against CSS injection, which makes the CSS first-party.

It's *probably* okay to allow most built-in HTML attributes to be used.  Sensitive attributes need to be blocked *in general* (from Selectors, too), but the rest are likely okay to expose by default, like `href` in your example.  But I think we still have to block data-* by default, and allowlist them in.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-637710405 using your GitHub account
Received on Tuesday, 2 June 2020 17:57:12 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 19 October 2021 01:31:27 UTC