Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136) from arturjanc via GitHub on 2020-06-14 (public-css-archive@w3.org from June 2020)

From: arturjanc via GitHub <sysbot+gh@w3.org>
Date: Sun, 14 Jun 2020 12:15:01 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-643758635-1592136900-sysbot+gh@w3.org>

> Sensitive attributes need to be blocked in general (from Selectors, too), but the rest are likely okay to expose by default, like href in your example. But I think we still have to block data-* by default, and allowlist them in.

My one concern about this specifically is that `href`, `src` and other attributes that carry URLs often contain sensitive data; for example, [capability URLs](https://www.w3.org/TR/capability-urls/) include secrets that allow accessing private resources. If we want to limit the exfiltration potential of `attr()` or other powerful CSS functions, I'd be a little wary of allowlisting such attributes for CSS access by default.


-- 
GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-643758635 using your GitHub account

Received on Sunday, 14 June 2020 12:15:03 UTC