Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136)

"Based on origin" doesn't help, as we're wanting to defend against CSS injection, which makes the CSS first-party.

It's *probably* okay to allow most built-in HTML attributes to be used.  Sensitive attributes need to be blocked *in general* (from Selectors, too), but the rest are likely okay to expose by default, like `href` in your example.  But I think we still have to block data-* by default, and allowlist them in.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-637710405 using your GitHub account

Received on Tuesday, 2 June 2020 17:57:12 UTC