W3C home > Mailing lists > Public > public-css-archive@w3.org > June 2020

Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Fri, 05 Jun 2020 16:07:16 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-639599270-1591373234-sysbot+gh@w3.org> 
> Every attack relies on [`<url>`](https://drafts.csswg.org/css-values/#urls). Can all other uses of `attr()` be considered safe and therefore need no restriction at all?

Not true, as I linked in an earlier comment: <https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-636452209>

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-639599270 using your GitHub account
Received on Friday, 5 June 2020 16:07:17 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:12 UTC