Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from andruud via GitHub on 2024-06-12 (public-css-archive@w3.org from June 2024)

From: andruud via GitHub <sysbot+gh@w3.org>
Date: Wed, 12 Jun 2024 20:43:34 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2163866698-1718225012-sysbot+gh@w3.org>

The security restrictions as proposed are problematic to implement.

As @cdoublev points out, it's not obvious if something should be invalid parse time or at computed-value time. All it takes is a grammar like `<color> || <string>`, and you don't know if an `attr()` is valid in that spot until _after_ substitution. We should treat `attr()` exactly like `var()`, i.e. always making it valid at parse time.

Also, we should probably specify (for simplicity) that any `attr()` substituted into a custom property causes the _whole custom property value_ to be attr()-tainted. Otherwise we need some complicated way of tracking tainted _parts_ of values through `var()`-chains.

But even with that, this will be kind of horrible. The spec says that `attr()` is not valid within `<url>` values, but `var()`/`attr()` is substituted on the "raw" token stream / input string level, _before_ being passed to the property parser. There is no concept of `<url>` during substitution. I think we'd either have to parse and substitute at the same time (interleaved with each other), or basically do per-token tainting, and both of those are kind of big asks ... I'm not sure we can do it without regressing general performance too much.

I suppose we can _try_, but we should make the two modifications I mentioned above to give the proposal the best chance of successful implementation.

> If I did not miss any, in [filter()](https://drafts.fxtf.org/filter-effects-1/#funcdef-filter), [image()](https://drafts.csswg.org/css-images-4/#funcdef-image), and [image-set()](https://drafts.csswg.org/css-images-4/#funcdef-image-set).

Yes, please, let's be more specific about where `attr()` is invalid.

-- 
GitHub Notification of comment by andruud
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2163866698 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 12 June 2024 20:43:35 UTC