Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from andruud via GitHub on 2024-09-23 (public-css-archive@w3.org from September 2024)

From: andruud via GitHub <sysbot+gh@w3.org>
Date: Mon, 23 Sep 2024 08:09:55 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2367503260-1727078992-sysbot+gh@w3.org>

We have a prototype of the attr()-tainting proposal in Blink now. The proposal generally looks fine, and has proven to be implementable, so I **suggest that we resolve to accept it**, with two clarifications:

 1. Violating security restrictions (e.g. `url(attr())`) causes the declaration to be invalid at _computed-value time_, not invalid at parse-time as explained in [a comment](https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2054805411) here.
     - We don't know how to parse something (against a property's grammar) until after [arbitrary function substitution](https://drafts.csswg.org/css-variables/#substitute-a-var), and I'd like to keep it that way. See the [image()](https://drafts.csswg.org/css-images-4/#image-notation) function for example: `image(attr(...))`. Does that take the `<image-src>` branch (invalid), or the `<color>` branch (valid)? We would have to "peer into" the attr() function, and spec how all of that works. It's not worth it.
    - Maintains consistency with with attr()'s [general failure mode](https://drafts.csswg.org/css-values-5/#attr-substitution), i.e. IACVT when there is no substitution value (e.g. type mismatch).
    -  Note: The spec could already be interpreted this way, through the final normative paragraph of [7.4](https://drafts.csswg.org/css-values-5/#attr-notation), but the above mentioned comment contradicts that.
 2. Only the affected parts of a custom property become tainted, example:
     ```
     --img: "bg.gif", attr(my-attr-green);
     background: image(var(--img));
     ```
     The above works as expected, because the `<string>` part of the `image()` is not affected by `attr()`.

-- 
GitHub Notification of comment by andruud
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2367503260 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 23 September 2024 08:09:56 UTC