Re: [csswg-drafts] [css-values] A way to dynamically construct custom-ident and dashed-ident values (#9141) from Roman Komarov via GitHub on 2024-04-13 (public-css-archive@w3.org from April 2024)

From: Roman Komarov via GitHub <sysbot+gh@w3.org>
Date: Sat, 13 Apr 2024 08:17:44 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2053569336-1712996263-sysbot+gh@w3.org>

> Yup, some of our internal security folk were finally able to give a "probably okay" to attr() with some restrictions (mainly, not capable of making a url, unless whitelisted). I'll be working on updating the spec for this Soon. No need to make a new attr().

Good to hear! My main concern for only allowing `data-` attributes were custom elements, where authors are free to name their attributes as they like, and it might be very useful to also use these values in CSS. Requiring using `data-` attributes for custom elements would feel weird.

I think it would still be ok to disallow certain attributes (`value`, `nonce`, but maybe this will be included in the “some restrictions”?), at least initially.

Thinking of `data:` URIs, what if… we would allow using only data-attributes for them? This could be a good compromise, and rather easy for authors to remember, as an important nuance of how `attr()` works (`data:` and `data-`).

This way the more simple cases with almost any attribute in `attr()` for simple values will be covered, and already a more complicated case of `data:` URIs will still be possible, but with limitations.

Alternatively (or, in addition?), could limiting the types allowed for constructing `data:` URIs be enough to work around its potential issues? In my practice, in almost any use case I had, the only thing I wanted was an ability to pass a color or a dimension to an SVG. Allowing only `<integer>`, `<length>` and `<color>` as values for `data:` URIs should not be more insecure than what is already possible with the attribute selector.

That said, given `data:` URIs are a much more complicated case, I think it could be ok to first do this without them. This way, the authors could already start using attributes for other use cases, and we could work out what we can do with the `data:` URIs without blocking the feature completely.

--
GitHub Notification of comment by kizu
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/9141#issuecomment-2053569336 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 13 April 2024 08:17:45 UTC