- From: arturjanc via GitHub <noreply@w3.org>
- Date: Sat, 02 Aug 2025 12:22:40 +0000
- To: public-css-archive@w3.org
From a security point of view, allowing ranges in style container queries doesn't really increase the capabilities that an attacker has because they could use CSS3 attribute selectors to directly exfiltrate such data, e.g.
```
input[value^="a"] {
background: url(/value-starts-with-a);
}
```
(See https://portswigger.net/research/blind-css-exfiltration for some details)
The ability to query attribute contents from a CSS value declaration (e.g. `<div style="background-color: if(style(attr(data-columns, type<number>) > 2): lightblue; else: white);">` seems a bit scarier because it allows contents in style attributes (frequently allowed by HTML sanitizers, even when `<style>` and `<link rel=stylesheet>` tags are disallowed) to probe attribute values of their element - which wasn't possible in the past (because attribute selectors don't work in inline styles).
That said, IIUC the `if()` syntax in CSS already allows direct matches against attribute values, so introducing ranges doesn't give attackers qualitatively new capabilities, it just makes it faster to recover the value. IMHO the limitation to numeric types only (i.e. not allowing `<string>` types to be compared against) should be a sufficient mitigation, so overall I don't think the behavior described here is problematic security-wise.
--
GitHub Notification of comment by arturjanc
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/12410#issuecomment-3146471553 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 2 August 2025 12:22:41 UTC