W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2020

Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092)

From: arturjanc via GitHub <sysbot+gh@w3.org>
Date: Wed, 20 May 2020 09:07:01 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-631345819-1589965620-sysbot+gh@w3.org>
Please note that @mikewest explicitly referred to the known concerns about third-party CSS in the intent thread and explained how the proposed expansion in expressive power of `attr()` is qualitatively different in [this message](https://groups.google.com/a/chromium.org/g/blink-dev/c/FGCgsKmylhw/m/A1vw2xREAgAJ).

One specific problematic case are sites which allow user-controlled `style=` attributes with lightweight CSS sanitization. IIUC currently this this doesn't allow any of the classic exfiltration vectors because:
- In a `style=` attribute you cannot use CSS3 attribute selectors, `@import` or other at-rules.
- Currently, `attr()` works only in the `content` property which is limited to `::before` and `::after` pseudoelements.

If `attr()` starts working in this case, it can make sites with this pattern vulnerable because it will allow untrusted CSS to access attributes values which otherwise wouldn't be exposed.

Note that this is just one example. Another consideration is the fact that many websites' Content Security Policy rules are more lax when it comes to permitting styles than scripts, so making CSS-based exfiltration of DOM contents easier will allow bypassing existing CSPs.

From a security perspective, I'd strongly favor allowlisting attributes permitted in `attr()` in order to mitigate these risks.

GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-631345819 using your GitHub account
Received on Wednesday, 20 May 2020 09:07:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:07 UTC