Commit
…ghs" attack. Fixes #3733
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -635,6 +635,51 @@ Variables in Shorthand Properties</h3> | |
| if any of the longhand subproperties for that shorthand have <a>pending-substitution values</a> | ||
| then the serialized value of the shorthand must be the empty string. | ||
|
|
||
| <h3 id=long-variables> | ||
| Safely Handling Overly-Long Variables</h3> | ||
|
|
||
| Naively implemented, | ||
| ''var()'' functions can be used in a variation of the "billion laughs attack": | ||
|
|
||
| <div class=example> | ||
| <pre lang=css> | ||
| .foo { | ||
| --prop1: lol; | ||
| --prop2: var(--prop1) var(--prop1); | ||
| --prop3: var(--prop2) var(--prop2); | ||
| --prop4: var(--prop3) var(--prop3); | ||
| /* etc */ | ||
| } | ||
| </pre> | ||
|
|
||
| In this short example, ''--prop4''’s computed value is ''lol lol lol lol lol lol lol lol'', | ||
| containing 8 copies of the original ''lol''. | ||
| Every additional level added to this doubles the number of identifiers; | ||
| extending it to a mere 30 levels, | ||
| the work of a few minutes by hand, | ||
| would make ''--prop30'' contain <em>nearly a billion instances</em> of the identifier. | ||
| </div> | ||
|
|
||
| To avoid this sort of attack, | ||
| UAs must impose a UA-defined limit on the allowed length of the token stream | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. 
tabatkins
Author
Member
|
||
| that a ''var()'' function expands into. | ||
| If a ''var()'' would expand into a longer token stream than this limit, | ||
| it instead makes the property it's expanding into | ||
| [=invalid at computed-value time=]. | ||
|
|
||
| This specification does not define what size limit should be imposed. | ||
| However, since there are valid use-cases for custom properties that contain a kilobyte or more of text, | ||
| it's recommended that the limit be set relatively high. | ||
|
|
||
| Note: The general principle that UAs are allowed to violate standards due to resource constraints | ||
| is still generally true here; | ||
| a UA might, separately, have limits on how long of a custom property they can support, | ||
| or how large of an identifier they can support. | ||
| This section calls out this attack specifically | ||
| because of its long history, | ||
| and the fact that it can be done without any of the pieces | ||
| <em>seeming</em> to be too large on first inspection. | ||
|
|
||
|
|
||
|
|
||
| <!-- | ||
|
|
@@ -706,5 +751,9 @@ Privacy and Security Considerations {#priv-sec} | |
| =============================================== | ||
|
|
||
| This specification defines a purely author-level mechanism for passing styling information around within a page they control. | ||
| As such, there are no new privacy considerations. | ||
|
|
||
| [[#long-variables]] calls out a long-standing Denial-of-Service attack | ||
| that can be mounted against "macro-expansion"-like mechanisms, | ||
| such as the ''var()'' function, | ||
| and mandates a defense against that attack. | ||
You sure you want to make this a "must"? @andruud was considering not adding one to chrome.