W3C home > Mailing lists > Public > public-css-archive@w3.org > June 2020

Re: [csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136)

From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 Jun 2020 17:00:14 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-648943684-1593018013-sysbot+gh@w3.org>
The CSS Working Group just discussed `[selectors][css-values] Hide "sensitive" attributes from CSS`.

<details><summary>The full IRC log of that discussion</summary>
&lt;dael> Topic: [selectors][css-values] Hide "sensitive" attributes from CSS<br>
&lt;dael> github: https://github.com/w3c/csswg-drafts/issues/5136<br>
&lt;dael> TabAtkins: Review is this allows for a known attack. Makes it a whole lot easier to do background URLs. rather than partly loading and building letter by letter you can instead grab the whole thing and ship it out.<br>
&lt;dael> TabAtkins: Some bits can be crafted with spec language, but some can't. Some attributes will host data and can be extracted. This is a problem<br>
&lt;dael> TabAtkins: I'd like to be able to code this attributes. But I don't want to expose arbiterary data attributes with sensitive information.<br>
&lt;dael> TabAtkins: Some suggestions in the thread about how to solve. Mark some as safe and unsafe and a mech for JS to swap between categories so you can use some attributes safely.<br>
&lt;dael> TabAtkins: I don't know final solution. It's a blocker for attr b/c makes attack easier.<br>
&lt;dael> TabAtkins: Anyone interested in security concerns please review and help me figure out a solution that's not cumbersome or weird<br>
&lt;dael> astearns: Any initial thoughts?<br>
&lt;dael> faceless2_: This is used already in lots of print engines. It would be a shame to break everything by blocking href and other common<br>
&lt;dael> TabAtkins: We should set up spec so that UA in secure spaces can ignore this. I'm concerned about thigns like css injection attacks. Print should be fine and will make sure I allow it<br>
&lt;dael> astearns: Thanks for intro, we'll get back to this<br>

GitHub Notification of comment by css-meeting-bot
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-648943684 using your GitHub account
Received on Wednesday, 24 June 2020 17:00:16 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:09 UTC