- From: arturjanc via GitHub <sysbot+gh@w3.org>
- Date: Mon, 19 Dec 2022 16:34:21 +0000
- To: public-css-archive@w3.org
> Should this be very strictly on the referenced element itself, or would it be okay to put it on an ancestor and have it apply to an entire subtree (and, if placed on html, the entire document)? There's probably no single right answer here. There's a risk that developers will add the attribute on html and accidentally allow CSS access to sensitive values throughout the DOM (it's difficult to reason about this because it requires understanding the meaning of every value in every attribute in the DOM). At the same time, this would be safe by default, i.e. only applications that add the attribute would allow such access, and we could add a spec/documentation note explaning the considerations. Personally, I'd be okay with inheriting this bit from an ancestor element given that this design wouldn't result in a security regression for existing applications (at most, it's a sharp edge that developers would need to take into account when adding the attribute). -- GitHub Notification of comment by arturjanc Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-1357931088 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 19 December 2022 16:34:23 UTC