[sachleen]

You'd have to have all permutations of any length password in the css file AND it would have to be pre-filled using the value attribute.

The original post on this talks about it in more detail:

https://www.mike-gualtieri.com/posts/stealing-data-with-css-...

Summary: A method is detailed - dubbed CSS Exfil - which can be used to steal targeted data using Cascading Style Sheets (CSS) as an attack vector. Due to the modern web's heavy reliance on CSS, a wide variety of data is potentially at risk, including: usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers. The technique can also be used to de-anonymize users on dark nets like Tor. Defense methods are discussed for both website operators as well as web users, and a pair of browser extensions are offered which guard against this class of attack.

[jaymzcampbell]

It is using an attribute selector that matches against the last character only - so no giant file of permutations required.

[hughes]

Also, and critically, the server always responds with an HTTP 400 status code. This prevents caching in most browsers, so the request will be made again when a key is repeated.

[bfred_it]

In short: this works when the SERVER returns a page with pre-entered information.

This is common when returning to a form you previously filled, like an address for, but it's very, very rare for this to happen to a password field. Like, why would a server send you a password field with your real password pre-entered?

Every other type of data is fair game... given that the attacker can inject CSS into your pages.