- From: Mike Bremford via GitHub <sysbot+gh@w3.org>
- Date: Wed, 20 May 2020 12:00:48 +0000
- To: public-css-archive@w3.org
```css
div {
content: url(file.png);
}
```
is valid CSS, and already works on Gecko and Blink (the distinction is between "content-replacement" and "content-list" in the definition of the "content" property - the former (which maps to `<image>`) applies to all elements, not just pseudo-elements).
But as `attr()` on a pseudo-element resolves against the element anyway, I'm not sure it makes any difference in terms of risk.
```css
div::before {
content: url(attr(secret));
content: attr(secret url);
}
```
are presumably the kind of cases causing concern in the original posts. Both should be valid according to the spec, but this syntax doesn't work in any browser yet.
As there's no ability to concatenate in CSS, these would a relative URL resulting in a request to the server that supplied the HTML (or, perhaps, the stylesheet, depending on the outcome of https://github.com/w3c/csswg-drafts/issues/5079). So you couldn't send a request just anywhere.
Personally I've no opinions on what to do about this, other to say that `attr(nnn url)` for any nnn seems quite useful to me, and it would be a shame to lose it. And also that this should probably tip any resolution of https://github.com/w3c/csswg-drafts/issues/5079 towards the attribute being resolved against the origin of the HTML, not the origin of the CSS.
--
GitHub Notification of comment by faceless2
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-631429798 using your GitHub account
Received on Wednesday, 20 May 2020 12:00:50 UTC