- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Thu, 13 Jun 2024 10:57:09 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `[css-values] Security concerns regarding attr()`. <details><summary>The full IRC log of that discussion</summary> <jarhar> TabAtkins: theres been discussion since 14 hours ago i did not see. well lets just intro the thing and we'll ? conclusions from this because we'll need more discussions<br> <jarhar> TabAtkins: when we ? the attr function to parse values to things other than strings, there was a concern from security folks that this made a new exfiltration hack which you could take an attribute that stores ? parse that into an integer, put that into a url via the src syntax and then you can send any arbitrary attribute value out to hostile<br> <jarhar> server<br> <jarhar> TabAtkins: so, while most cases that use that are fine and we dont want to lock this down in some crazy way, we wnat to prevent it from doing this sort of thing. i have a rpoposal in the spec, disallowing attr values from being used to build urls<br> <jarhar> TabAtkins: that persists though ? changes, basically change the value and you cant use that value in a url ever<br> <jarhar> TabAtkins: requested review a while ago, anders said ? back, so i just want to say i would love others to review unless anders you know something that would be good to share<br> <jarhar> TabAtkins: otherwise we can just call it good<br> <jarhar> andruud: we can discuss in the issue<br> <jarhar> astearns: anyone with questions?<br> <miriam> q+<br> <astearns> ack miriam<br> <jarhar> miriam: i just wanted to say that i like movign towards an attr that we can actually ship so i support this process<br> <bramus> +10000<br> <lwarlow> q+<br> <jarhar> astearns: we'll take this back to the issue and i will re-add the agenda issue later<br> <astearns> ack lwarlow<br> <jarhar> lwarlow: if youve got the ability to - if the if check was that specific to custom properties? if you have conditionals and you can assign the attr value and then assign that into a variable where you can do stuff not in the url but ?<br> <jarhar> TabAtkins: i dont know the implications of that right now, but the tainting would have to be fairly wide<br> <jarhar> TabAtkins: lets discuss this in the issue, ?<br> <jarhar> iank_: anders your concern would go away if you like wholesale tainted attrs for any properties that accepted url type things right?<br> <jarhar> andruud: yes<br> <jarhar> andruud: that would make it easier but i assume that would be too limiting, wouldn't be able to use it inside a gradient or background image<br> <jarhar> andruud: so i think thats not a good<br> <jarhar> andruud: i was wondering tab, attr now becomes yet another invalid at computed value time thing. if you use it anywhere it becomes ? at parse time<br> <jarhar> TabAtkins: that is separate from security. it introduces ?<br> <jarhar> andruud: have you considered leaving it as its been discussed ?? the attr has height inline in the fn, so we could interpet that type during the regular parse time<br> <jarhar> TabAtkins: yes but getting every place that accepts numbers to calc, doing that same parser genericness for all types sounds like a much more annoying issue<br> <emilio> can confirm :)<br> <jarhar> TabAtkins: theres stil. places you can put a number in but not a calc in css<br> <emilio> q+<br> <jarhar> TabAtkins: parse ? written by hand instead of generatables ? treat it like a link<br> <jarhar> andruud: security, would be easier to say oh when youre trying to aprse a string in this situation after its invalid vs the security restrictions you can put in vs this proposal ?<br> <jarhar> TabAtkins: ignoring what the type of the attr is, the type of the attr can ? some attribute value. the attribute value doesn' tparse as that type and thats what you need ? for<br> <jarhar> andruud: ok but you could define fallback, which so the attr is parsed as an attr value and then during the regular parse time and then computes to something computed value tie, and if it doesn't match then take the falback<br> <jarhar> TabAtkins: yes, if we require a falback<br> <jarhar> astearns: ?<br> <jarhar> TabAtkins: it allows a fallback, but overall the treating attrs different froma registered custom property doens't get us much. you can declalrae as an integer and youll get ? behavior<br> <jarhar> andruud: im not opposed to using subsitution behavior<br> <jarhar> TabAtkins: subsitution is much easier than ?<br> <astearns> ack emilio<br> <jarhar> emilio: to clarify what tab said, its not about parsing it also about storing and making every property ? rather than at a single place, right? its the same thing, at least on geckos side thats the main issue with supporting arbitrary unit inside calc because suddently stuff that used to be a double now its like a tree of objects that you need to<br> <jarhar> defer computation, so either ? introduce this kind of thing unless you do it at the ? time<br> <jarhar> andruud: we have the same issue but we have to work on that. ? sibling index, sine function, progress functions, so we have to do it anyway i think<br> <jarhar> TabAtkins: ? numeric proeprty ? every value<br> <jarhar> emilio: i agree that its kind of - we've been thinking ? this road for a long time, feels like a huge amount of work<br> <emilio> s/thinking/kicking this can down the road/<br> <jarhar> TabAtkins: any other comments or can we close this issue?<br> <jarhar> astearns: lets take this back to the issue<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2165315184 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 13 June 2024 10:57:10 UTC