W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2020

[csswg-drafts] [css-values] Security concerns regarding attr() (#5092)

From: Xiaocheng Hu via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 May 2020 23:50:19 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-621357518-1589932218-sysbot+gh@w3.org>
xiaochengh has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-values] Security concerns regarding attr() ==
The [CSS values spec](https://drafts.csswg.org/css-values-4/#sec-pri) basically says there's no security concerns:

> This specification mostly just defines units that are common to CSS specifications, and which present no security concerns.

In the [Blink Intent to Implement and Ship: Advanced attr() thread](https://groups.google.com/a/chromium.org/g/blink-dev/c/FGCgsKmylhw/m/BSUrk2roCQAJ), multiple concerns have been raised that `attr()` can be used as a tool for data exfiltration of sensitive data like passwords, `nonce`, etc.

And it's a much easier-to-use weapon compared to attribute selectors, which has to exfiltrate attribute value character-by-character in an iterative/recursive manner.

Other than "try harder to block CSS injection", do we have other ideas to address the security concerns? For example, blacklisting certain attributes (e.g., `nonce`, `value`, etc.), or even whitelisting attributes allowed in `attr()` (as suggested by @mikewest [here](https://groups.google.com/a/chromium.org/g/blink-dev/c/FGCgsKmylhw/m/A1vw2xREAgAJ))?

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092 using your GitHub account
Received on Tuesday, 19 May 2020 23:50:20 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:06 UTC