Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from Tab Atkins Jr. via GitHub on 2024-04-12 (public-css-archive@w3.org from April 2024)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Fri, 12 Apr 2024 21:41:35 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2052599629-1712958094-sysbot+gh@w3.org>

All right, after internal discussion with @arturjanc , the conclusion from Chrome's security people is that attr() is likely acceptable from a security standpoint to reference arbitrary attributes, so long as it's not used as a url (which just makes it too trivial to exfiltrate potentially-sensitive attribute data, like security tokens). I've modified the spec accordingly.

Assuming this seems reasonable, I'll separately pursue an HTML PR to add some sort of allowlist attribute, which'll remove that restriction from attr() on the element and its descendants.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2052599629 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 12 April 2024 21:41:36 UTC