Comment by bawolff
2 months ago
> I'm so lost, or at least, struggling. Why is modern HTML/CSS like this?
Most of the things you mention are not "modern"
> And also apparently clicking on the label toggles the checkbox because, it just works that way by default?
This goes back to the 90s. Clicking on a form widget label causes the widget to be focused.
I believe the original rationale is that is how desktop UIs do it. Also for checkboxes and radio buttons the hitbox would otherwise be quite small.
> And then the CSS properties can vary depending on the checkbox state, without JavaScript, because that's just built into CSS for some reason?
Well yes, if you want to customize the way checkboxes look you need to apply different styles depending on their state. Support for this literally goes back to version 1 of firefox.
> But the various demos get to pull filter definitions out of the SVG?
That's kind of a natural consequence of being able to embed SVG namespace elements directly in html. CSS supports it via the filter property, but i think even before that property existed you could probably do it via direct embedding svg in html or vice versa.
Anyways, my point is this isn't a situation of, what has modern html wrought. Most of this is very old features. I bet you probably could have done the same attack a decade ago.
> Well yes, if you want to customize the way checkboxes look you need to apply different styles depending on their state. Support for this literally goes back to version 1 of firefox.
It doesn't surprise me that this is possible for the checkbox, but it does surprise me that the label responds to the corresponding checkbox's state. (I take it that the styling is being applied to the labels, simply so that multiple labels can share state by all being "for" the same hidden checkbox.)
> That's kind of a natural consequence of being able to embed SVG namespace elements directly in html. CSS supports it via the filter property, but i think even before that property existed you could probably do it via direct embedding svg in html or vice versa.
I've only ever used SVG for... scalable vector graphics. I don't understand why CSS needs access. I get that SVG uses tags so that individual elements of the drawing can be in the DOM and then e.g. get animated by JavaScript. But I would have expected that to require JavaScript.
I think CSS just wanted to be able to apply filters (blur() is a very common use case). Since a filtering language already existed for svgs, and web browsers had already implemented it, it made sense to connect the two. SVGs can also be styled via css, so there needed to be a syntax to mark in document filters as applying to specific svg elements.
I dont really think css filter is neccesary here though. I suspect the exploit could be implemented without that part just by embedding svg on the page.