Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136) from Tab Atkins Jr. via GitHub on 2020-06-05 (public-css-archive@w3.org from June 2020)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Fri, 05 Jun 2020 16:07:16 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-639599270-1591373234-sysbot+gh@w3.org>

> Every attack relies on [`<url>`](https://drafts.csswg.org/css-values/#urls). Can all other uses of `attr()` be considered safe and therefore need no restriction at all?

Not true, as I linked in an earlier comment: <https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-636452209>

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-639599270 using your GitHub account

Received on Friday, 5 June 2020 16:07:17 UTC