Re: [csswg-drafts] [css-forms-1] control-value() security and handling (#11860) from Tab Atkins Jr. via GitHub on 2025-03-06 (public-css-archive@w3.org from March 2025)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Thu, 06 Mar 2025 23:06:25 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2705137346-1741302383-sysbot+gh@w3.org>

Password input values aren't security-conscious in this context; the page already has access to them. (And they might even be *visible*, depending on your browser, if you click the "reveal password" UI.)

It would be bad for them to be exfiltrateable, but that's what attr() tainting solves.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/11860#issuecomment-2705137346 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 6 March 2025 23:06:26 UTC