- From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
- Date: Wed, 31 May 2023 18:24:41 +0000
- To: public-css-archive@w3.org
noamr has just created a new issue for https://github.com/w3c/csswg-drafts: == [css-view-transitions-2] security considerations with 3p css == #8048 and linked feature suggest to expose certain information about the navigation (navigation type, previous/next URL) to CSS, e.g. in the form of media queries. Some security concerns about it that should be discussed and resolved: As a general rule we don't consider 3rd party CSS as "safe", it can already exfiltrate a lot of information and alter the behavior of the page. However, it is still handled differently than scripts, e.g. `style-src` and `script-src` are separate directives. When exposing navigation type and previous/next URL to CSS, we give CSS direct observation into the cross-document world. The threat model: An existing 3p CSS would now be able to exfiltrate (e.g. by an invisible background image) information about the referrer of its host document. We should resolve how much this should be a constraint and affect our design, if at all. If we decide that this is not a problem, great! One potential mitigation would be to have some kind of HTML opt-in to make CSS "navigation aware", to avoid making these changes something that affects existing sites. Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/8889 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 31 May 2023 18:24:43 UTC