- From: Emilio Cobos Álvarez via GitHub <noreply@w3.org>
- Date: Wed, 10 Dec 2025 23:04:04 +0000
- To: public-css-archive@w3.org
Well, I get the theory, but I think I'd like to know some of the details here... We need to preserve tainting across custom property substitutions for example, so it can't just be colors. `attr()` isn't directly comparable here I believe because it's gone after custom property substitution isn't it?
For a concrete trivial-ish example, what happens if I substitute a registered color into an unregistered custom property? Won't that trivially leak the computed color?
Test-case would be:
```html
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<style>
@property --accent {
inherits: true;
syntax: "<color>";
initial-value: #0f0;
}
:root {
--accent: AccentColor;
--my-color: var(--accent);
background-color: var(--accent);
color: AccentColorText;
}
</style>
<pre><script>
document.writeln(getComputedStyle(document.documentElement).backgroundColor);
document.writeln(getComputedStyle(document.documentElement).getPropertyValue("--accent"));
document.writeln(getComputedStyle(document.documentElement).getPropertyValue("--my-color"));
</script></pre>
```
Expected behavior without tainting is three identical lines. @kyerebo what's the behavior of chromium with your patch in that test-case?
@LeaVerou was also talking about more complex examples with `if()` and so on, which would also allow exfiltrating some of the values to other properties like e.g. `z-index`. How do you preserve the tainting in that case? What do you return for tainted values?
--
GitHub Notification of comment by emilio
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10372#issuecomment-3639308591 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 December 2025 23:04:05 UTC