Re: [csswg-drafts] [css-values-5] allow attr() to be used for URLs (#12340) from Shaw Jia via GitHub on 2025-06-16 (public-css-archive@w3.org from June 2025)

From: Shaw Jia via GitHub <noreply@w3.org>
Date: Mon, 16 Jun 2025 23:59:31 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2978507872-1750118369-noreply@w3.org>

You're right, I read up on CORS and it blocks you from reading the response, but not block the request.

So CORS is the wrong technology to use here.

But we can check whether the constructed URL is same-origin, and block it entirely (from making the request) if it isn't, no?

-- 
GitHub Notification of comment by miragecraft
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/12340#issuecomment-2978507872 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 16 June 2025 23:59:31 UTC