- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Fri, 04 Apr 2025 14:51:32 +0000
- To: public-css-archive@w3.org
No, the security concerns are identical, because we were already considering the possibility of a content attribute containing sensitive information. That is, the possibility of exfiltrating a `data-secret-id` attribute was explicitly why we designed the `attr()` behavior the way we did. This is identical to the risk of exfiltrating a password input's value. (And yes, JS libraries using two-way bindings to reflect values back into attributes was *also* a concern.) This is why the security was only "lightly covered" in the discussion - the issue had already been solved adequately in attr() and we're just using the same solution, since the information being exposed is identical in attack value. > But if the suggested [:value] selector comes into existence, Yes, security issues are a significant blocker for that selector. That has nothing to do with the design of `control-value()`, tho. -- GitHub Notification of comment by tabatkins Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7869#issuecomment-2778961694 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 4 April 2025 14:51:33 UTC