Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from arturjanc via GitHub on 2024-04-13 (public-css-archive@w3.org from April 2024)

From: arturjanc via GitHub <sysbot+gh@w3.org>
Date: Sat, 13 Apr 2024 09:55:35 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2053595422-1713002132-sysbot+gh@w3.org>

I think the proposal is just to restrict `attr()` in `url()` (or any similar functions) so this shouldn't affect the pattern mentioned above.

But to answer the question about relative URLs: unfortunately that would still be concerning from a security perspective because of the ubiquity of open redirects across the web, which allow a relative (same-origin) URL to end up making a request to an external destination. This would allow the exfiltration of data from the DOM on origins which have open redirects.

-- 
GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2053595422 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 13 April 2024 09:55:35 UTC