- From: Lea Verou via GitHub <sysbot+gh@w3.org>
- Date: Fri, 12 Apr 2024 22:49:37 +0000
- To: public-css-archive@w3.org
> > I would be much more in favor of shipping attr() support with a whitelist > > Yup, some of our internal security folk were finally able to give a "probably okay" to attr() with some restrictions (mainly, not capable of making a url, unless whitelisted). I'll be working on updating the spec for this Soon. No need to make a new attr(). Oof, generating `data:` URIs was one of the primary use cases though. 😢 Any chance it can depend on the protocol, so that `data:` URIs can still be allowed? What type of whitelisting do you mean by "unless whitelisted"? > My initial reaction is that we don't need a special function just to save adding an initial `"--"` argument. We can always revisit in the future, but this seems like a _very_ narrow convenience feature to justify. Agreed. -- GitHub Notification of comment by LeaVerou Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/9141#issuecomment-2052652536 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 12 April 2024 22:49:38 UTC