[csswg-drafts] [css-variables] Consider specifying allowed size limit of var() expansion (#5510) from Tyler Wilcock via GitHub on 2020-09-13 (public-css-archive@w3.org from September 2020)

From: Tyler Wilcock via GitHub <sysbot+gh@w3.org>
Date: Sun, 13 Sep 2020 02:02:06 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-700454111-1599962523-sysbot+gh@w3.org>

twilco has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-variables] Consider specifying allowed size limit of var() expansion ==
Quoting https://drafts.csswg.org/css-variables/#long-variables:

> To avoid this sort of attack, UAs must impose a UA-defined limit on the allowed length of the token stream that a var() function expands into. If a var() would expand into a longer token stream than this limit, it instead makes the property it’s expanding into invalid at computed-value time.
>
> This specification does not define what size limit should be imposed. However, since there are valid use-cases for custom properties that contain a kilobyte or more of text, it’s recommended that the limit be set relatively high.

Should this limit be explicitly set in the spec to avoid compatibility issues?

Gecko [currently requires values to be 1mb or less](https://github.com/mozilla/gecko-dev/blob/dd5e04a92b3a9dfa1499da050ce24033689aa792/servo/components/style/custom_properties.rs#L181), while [Chromium](https://github.com/chromium/chromium/blob/f8e333f0373408d1f575dfea35c70739043b16ae/third_party/blink/renderer/core/css/resolver/style_cascade.h#L140) and [WebKit](https://bugs.webkit.org/show_bug.cgi?id=216407) both set a limit of 65536 tokens.


Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5510 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 13 September 2020 02:02:09 UTC