Re: [csswg-drafts] [css-values-5] `value()` function (#7869)

As mentioned above, this raises security concerns similar to the ones described in https://github.com/web-platform-tests/interop/issues/86#issuecomment-1314054879

Specifically, this would allow CSS injections to steal sensitive secrets from the DOM, even in situations where such injections are prohibited from executing scripts due to Content Security Policy restrictions.

An additional aspect is that, as proposed, this would also allow the leaking of `script#nonce` properties which are purposefully not available as attributes to prevent them from being accessed by CSS and used to bypass CSP to regain script execution (see https://github.com/whatwg/html/issues/2369).

-- 
GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7869#issuecomment-1314078136 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 14 November 2022 16:58:16 UTC