- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Mon, 02 Jul 2018 02:42:40 +0000
- To: public-css-archive@w3.org
The attack scenario is:
1. Find a browser that stores some website-based information (like localStorage or something) in a file-based database (like sqlite).
2. Evil site, upon being visited, stores a hostile string into that database, which contains something like `};};}; body { --foo:`.
3. Evil site then loads that database as a local stylesheet with `<link rel=stylesheet href="file:...">`.
4. Evil site queries `getComputedStyle(document.body).getPropertyValue("--foo")`, and captures all of the contents of the file between where the string got stored and the next byte that gets interpreted as a `;` character. This is potentially a large chunk of the file, grabbing information from other sites.
Replacing NULL with U+FFFD doesn't solve this problem; that character is allowed in custom properties. Thus my minimal proposal of making a NULL automatically invalid in *all* contexts, so the custom property would be thrown out at parse time assuming that a NULL gets captured in the value (which is likely in the attack scenario mentioned; you'll probably find NULL bytes in a SQLite file). The maximal proposal, of invaliding the entire stylesheet if there's a NULL anywhere, would make it even safer, while having a fairly minimal chance of impact on *actual* stylesheets.
--
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2757#issuecomment-401656627 using your GitHub account
Received on Monday, 2 July 2018 02:42:42 UTC