- From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
- Date: Mon, 15 Apr 2024 10:20:47 +0000
- To: public-css-archive@w3.org
> > Yup, some of our internal security folk were finally able to give a "probably okay" to attr() with some restrictions (mainly, not capable of making a url, unless whitelisted). I'll be working on updating the spec for this Soon. No need to make a new attr(). > > Good to hear! My main concern for only allowing `data-` attributes were custom elements, where authors are free to name their attributes as they like, and it might be very useful to also use these values in CSS. Requiring using `data-` attributes for custom elements would feel weird. Can be `id`, `data-*`, and any custom-element observed attribute. But seeing where we landed in #5092 this might not be necessary. > > I think it would still be ok to disallow certain attributes (`value`, `nonce`, but maybe this will be included in the “some restrictions”?), at least initially. There is no issue with the `value` attribute - it doesn't expose the value entered by the user (only the default value). I think actually `nonce` is the only sensitive attribute ATM. > > Thinking of `data:` URIs, what if… we would allow using only data-attributes for them? This could be a good compromise, and rather easy for authors to remember, as an important nuance of how `attr()` works (`data:` and `data-`). I don't think that's necessary. These subtle restrictions are going to make this feature more difficult to use. -- GitHub Notification of comment by noamr Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/9141#issuecomment-2056472709 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 15 April 2024 10:20:48 UTC