xiaochengh has just created a new issue for https://github.com/w3c/csswg-drafts: == [css-values] Security concerns regarding attr() == The [CSS values spec](https://drafts.csswg.org/css-values-4/#sec-pri) basically says there's no security concerns: > This specification mostly just defines units that are common to CSS specifications, and which present no security concerns. In the [Blink Intent to Implement and Ship: Advanced attr() thread](https://groups.google.com/a/chromium.org/g/blink-dev/c/FGCgsKmylhw/m/BSUrk2roCQAJ), multiple concerns have been raised that `attr()` can be used as a tool for data exfiltration of sensitive data like passwords, `nonce`, etc. And it's a much easier-to-use weapon compared to attribute selectors, which has to exfiltrate attribute value character-by-character in an iterative/recursive manner. Other than "try harder to block CSS injection", do we have other ideas to address the security concerns? For example, blacklisting certain attributes (e.g., `nonce`, `value`, etc.), or even whitelisting attributes allowed in `attr()` (as suggested by @mikewest [here](https://groups.google.com/a/chromium.org/g/blink-dev/c/FGCgsKmylhw/m/A1vw2xREAgAJ))? Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092 using your GitHub accountReceived on Tuesday, 19 May 2020 23:50:20 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:06 UTC