[csswg-drafts] [css-values-5] Are <url>s with attr() tainted values allowed in custom properties? (#13742) from Antti Koivisto via GitHub on 2026-03-30 (public-css-archive@w3.org from March 2026)

From: Antti Koivisto via GitHub <noreply@w3.org>
Date: Mon, 30 Mar 2026 07:48:12 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-4168382722-1774856889-noreply@w3.org>

anttijk has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-values-5] Are <url>s with attr() tainted values allowed in custom properties? ==
The spec does not have any opt-out for them so seems to say "no":

> Using an attr()-tainted value as or in a <url> makes a declaration invalid at computed-value time.

However the current attr-security.html WPT says "yes":

```
    test_attr('--x',
              'src(attr(data-foo))',
              'https://does-not-exist.test/404.png',
              'src("https://does-not-exist.test/404.png")');
```



Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/13742 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 30 March 2026 07:48:12 UTC