W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2020

Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092)

From: arturjanc via GitHub <sysbot+gh@w3.org>
Date: Sun, 31 May 2020 10:30:37 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-636452209-1590921036-sysbot+gh@w3.org>
I like the idea from https://github.com/w3c/csswg-drafts/issues/5136, let's continue the discussion about restricting CSS attribute access there.

The one thing I'd like to stress here is that exfiltration via `url()` is just one example that illustrates the security concerns, and that there are several other ways to abuse the new `attr()`. Consider something like `<iframe data-userid="1234567" src="//adnetwork.example">`; a limited CSS injection on the page could set `iframe { width: attr(data-userid) }` and have the parameter read via `window.innerWidth` in the frame (even with a locked down Content Security Policy which prevents loading external CSS or reading attribute values with CSS3 selectors).

Basically, I'm worried that there's a fairly large set of existing CSS features that would enable leaks in existing applications when `attr()` starts applying to arbitrary properties.

GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-636452209 using your GitHub account
Received on Sunday, 31 May 2020 10:30:39 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:07 UTC