Re: [csswg-drafts] [css-forms-1] control-value() security and handling (#11860) from sb3nder via GitHub on 2026-01-28 (public-css-archive@w3.org from January 2026)

From: sb3nder via GitHub <noreply@w3.org>
Date: Wed, 28 Jan 2026 20:36:34 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-3813812018-1769632592-noreply@w3.org>

Hi there.  
I’ve had some time to think more about this.  
As of today, it’s already possible in Chrome and Safari to exfiltrate through CSS:

- the character-length of all text‑field IDL values, including passwords  
- the character-combinations of all text‑field IDL values, excluding passwords in most cases  

As for character-disposition, I’m not sure yet, so it’s probably possible.

-- 
GitHub Notification of comment by sb3nder
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/11860#issuecomment-3813812018 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 28 January 2026 20:36:35 UTC