Re: [csswg-drafts] [css-forms-1] `control-value()` function (#7869)

No, the security concerns are identical, because we were already considering the possibility of a content attribute containing sensitive information. That is, the possibility of exfiltrating a `data-secret-id` attribute was explicitly why we designed the `attr()` behavior the way we did. This is identical to the risk of exfiltrating a password input's value. (And yes, JS libraries using two-way bindings to reflect values back into attributes was *also* a concern.)

This is why the security was only "lightly covered" in the discussion - the issue had already been solved adequately in attr() and we're just using the same solution, since the information being exposed is identical in attack value.

> But if the suggested [:value] selector comes into existence,

Yes, security issues are a significant blocker for that selector. That has nothing to do with the design of `control-value()`, tho.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7869#issuecomment-2778961694 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 4 April 2025 14:51:33 UTC