[css-forms-1] control-value() security and handling #11860
Labels
Comments
|
We should probably also refuse to expose password input values? |
|
Password input values aren't security-conscious in this context; the page already has access to them. (And they might even be visible, depending on your browser, if you click the "reveal password" UI.) It would be bad for them to be exfiltrateable, but that's what attr() tainting solves. |
cdoublev
added a commit
to cdoublev/css
that referenced
this issue
Mar 9, 2025
- <attr()>: updated grammar - <control-value()>: new function - <random()>: updated grammar - <random-caching-options>: updated grammar - slider-orientation: new property There are also a bunch of new pseudos from CSS Forms. control-value() should be an arbitrary substitution (w3c/csswg-drafts#11860), which is not implemented in this commit, and it should take a type as a keyword (w3c/csswg-drafts#11842). random() might now be simplified at parse time when <random-caching-options> is specified as a <number>, which is not implemented in this commit.
Sign up for free
to join this
44E7
conversation on GitHub.
Already have an account?
Sign in to comment
control-value()is morally equivalent toattr(), just with some special handling of the values since we know something about types. So, it should work identically toattr():The text was updated successfully, but these errors were encountered: