Re: [csswg-drafts] [css-values] `value()` function (#7869) from Brandon McConnell via GitHub on 2022-10-12 (public-css-archive@w3.org from October 2022)

From: Brandon McConnell via GitHub <sysbot+gh@w3.org>
Date: Wed, 12 Oct 2022 01:40:55 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-1275475147-1665538853-sysbot+gh@w3.org>

@Loirooriol Couldn't attackers do that in the console by simply using `element.value`? This would essentially work the same as that, so I think any of the same protections we have in place for JS we should have here, too— absolutely, CORS or otherwise.

I'm also not so sure this would be easier than using JS for such attacks. I really appreciate your feedback, and I'd love to keep discussing it to find an implementation/spec that's as safe and as it is powerful.

-- 
GitHub Notification of comment by brandonmcconnell
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7869#issuecomment-1275475147 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 12 October 2022 01:40:56 UTC