- From: arturjanc via GitHub <sysbot+gh@w3.org>
- Date: Sun, 31 May 2020 10:30:37 +0000
- To: public-css-archive@w3.org
I like the idea from https://github.com/w3c/csswg-drafts/issues/5136, let's continue the discussion about restricting CSS attribute access there.
The one thing I'd like to stress here is that exfiltration via `url()` is just one example that illustrates the security concerns, and that there are several other ways to abuse the new `attr()`. Consider something like `<iframe data-userid="1234567" src="//adnetwork.example">`; a limited CSS injection on the page could set `iframe { width: attr(data-userid) }` and have the parameter read via `window.innerWidth` in the frame (even with a locked down Content Security Policy which prevents loading external CSS or reading attribute values with CSS3 selectors).
Basically, I'm worried that there's a fairly large set of existing CSS features that would enable leaks in existing applications when `attr()` starts applying to arbitrary properties.
--
GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-636452209 using your GitHub account
Received on Sunday, 31 May 2020 10:30:39 UTC