Re: [csswg-drafts] [css-values] attr()'s url type seems wrong (#5079) from andruud via GitHub on 2024-12-18 (public-css-archive@w3.org from December 2024)

From: andruud via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Dec 2024 19:54:44 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2552153459-1734551681-sysbot+gh@w3.org>

@annevk With the new security restrictions which prevent any [attr-tainted](https://drafts.csswg.org/css-values-5/#attr-taint) value from being used as a URL, does this change still make sense?

As the spec is right now, `attr(href type(<url>))` _is_ allowed, but attempts at using that in anything that would trigger a load of that URL will make it invalid at computed-value time. The only case where this still matters is when you _serialize_ something like `--x: attr(href, type(<url>))`.

-- 
GitHub Notification of comment by andruud
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5079#issuecomment-2552153459 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 18 December 2024 19:54:45 UTC