[csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from Xiaocheng Hu via GitHub on 2020-05-19 (public-css-archive@w3.org from May 2020)

From: Xiaocheng Hu via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 May 2020 23:50:19 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-621357518-1589932218-sysbot+gh@w3.org>

xiaochengh has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-values] Security concerns regarding attr() ==
The [CSS values spec](https://drafts.csswg.org/css-values-4/#sec-pri) basically says there's no security concerns:

> This specification mostly just defines units that are common to CSS specifications, and which present no security concerns.

In the [Blink Intent to Implement and Ship: Advanced attr() thread](https://groups.google.com/a/chromium.org/g/blink-dev/c/FGCgsKmylhw/m/BSUrk2roCQAJ), multiple concerns have been raised that `attr()` can be used as a tool for data exfiltration of sensitive data like passwords, `nonce`, etc.

And it's a much easier-to-use weapon compared to attribute selectors, which has to exfiltrate attribute value character-by-character in an iterative/recursive manner.

Other than "try harder to block CSS injection", do we have other ideas to address the security concerns? For example, blacklisting certain attributes (e.g., `nonce`, `value`, etc.), or even whitelisting attributes allowed in `attr()` (as suggested by @mikewest [here](https://groups.google.com/a/chromium.org/g/blink-dev/c/FGCgsKmylhw/m/A1vw2xREAgAJ))?

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092 using your GitHub account

Received on Tuesday, 19 May 2020 23:50:20 UTC