Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from Tab Atkins Jr. via GitHub on 2024-04-15 (public-css-archive@w3.org from April 2024)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Mon, 15 Apr 2024 03:48:16 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2054805411-1713152893-sysbot+gh@w3.org>

@faceless2 As @arturjanc said, the restriction is on *using* the value in a URL, not using the value *from* a URL attribute to do something else. Your example is totally fine.  (And also, generally, print media can probably ignore this restriction since it's not including untrusted 3rd party CSS and loading URLs dynamically with ambient authority.)

@cdoublev Yes, the former. Standard validity rules, so the first is invalid at parse time, and the second is "invalid at computed-value time" since it fails to parse after substitution.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2054805411 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 15 April 2024 03:48:17 UTC