Re: [csswg-drafts] [css-values-5][css-conditional-5] Security Concern: Accelerated Data Exfiltration with attr() and Style Query Ranges (#12410)

While this could possibly _execute_ in logarithmic time, we can't really "create" the steps dynamically in CSS, so all possibilities would still need to be specified in full, I guess? E.g.:

```
/* Find a number in the range [0, 7] */
@container style(attr(uid <number>) < 4) {
    @container style(attr(uid <number>) < 2) {
        @container style(attr(uid <number>) = 0) {
            /* 0 */
        } @else {
            /* 1 */
        }
    } @else {
        @container style(attr(uid <number>) = 2) {
            /* 2 */
        } @else {
            /* 3 */
        }
    }
} @else {
    @container style(attr(uid <number>) < 6) {
        @container style(attr(uid <number>) = 4) {
            /* 4 */
        } @else {
            /* 5 */
        }
    } @else {
        @container style(attr(uid <number>) = 6) {
            /* 6 */
        } @else {
            /* 7 */
        }
    }
}
```

(Using https://drafts.csswg.org/css-conditional-5/#else-rule).

> The weakness then is not in CSS, though, but in the system that chose to use numeric identifiers, which are a big no-no for any of the examples mentioned.

Sure. Though even if it's a wont-fix, it's still worth thinking about possible new data exfiltration methods for new CSS features.

... but is it actually _new_? You could for example use `width:attr(uid px)` on a CQ container, and then use the same trick with _size_ queries. (There is probably a more obvious case I'm not thinking of.)

-- 
GitHub Notification of comment by andruud
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/12410#issuecomment-3015163665 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 28 June 2025 10:16:38 UTC