Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from Tab Atkins Jr. via GitHub on 2023-10-10 (public-css-archive@w3.org from October 2023)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Oct 2023 16:39:50 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-1755816432-1696955988-sysbot+gh@w3.org>

Augh tho, I forgot about the attack scenario outlined in <https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-636452209> (using an attr() to shift a value into a property that's observable from within a third-party iframe, like `width`).

Can't even just disallow attr() usage on such elements; depending on the styles of the rest of the page, you might be able to do the shift on a parent element and have layout convey the value down to the iframe.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-1755816432 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 10 October 2023 16:39:51 UTC