- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Tue, 10 Oct 2023 16:36:16 +0000
- To: public-css-archive@w3.org
There's been more attention on attr() lately in Interop 2024 discussions, so I have a proposal to move forward with this for now without requiring us to fully resolve the security concerns immediately. (Resolving them would be great, of course; I'd just like to decouple the safe usages from progress on that front.) 1. Drop the "`url`" type entirely for now. 2. Strings produced by `attr()` (either directly thru the "`string`" type, or indirectly thru future stringifying/concatenating functions that can take a non-string `attr()`) are marked as "attr()-tainted" and can't be used as url strings. (That is, can't be passed to `src()`, to `image()`, etc.) 3. We separately pursue something like the attr allowlisting approach outlined in <https://github.com/web-platform-tests/interop/issues/86#issuecomment-1316955804>, which'll untaint `attr()` produced from the given attributes and allow the "`url`" type to be used for those attributes. This'll allow all the safe usages of attr() (anything you want to do within the page) while blocking any exfiltration potential for now, and then future work will allow us to safely exfil expected data only. -- GitHub Notification of comment by tabatkins Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-1755809447 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 10 October 2023 16:36:18 UTC