Is it safe to allow embedding an arbitrary external stylesheet into a page? from Constantine A. Murenin on 2013-05-21 (public-html@w3.org from May 2013)

From: Constantine A. Murenin <mureninc@gmail.com>
Date: Tue, 21 May 2013 15:55:55 -0700
To: public-html@w3.org
Message-ID: <CAPKkNb78kFCD02Z+WWCSGKD-ZwcP6vnrHnSQrLqpEF_vFmvhow@mail.gmail.com>

Hello,

I have a simple dynamic web-page which I want other people to be able
to embed into their own web-pages, with just an iframe (e.g. not
necessarily with any kind of more advanced techniques like
JavaScript).

Instead of providing all sorts of designs and styles myself, I'm
thinking about allowing anyone to provide their own stylesheet for my
page through an HTTP GET parameter, and embed such external stylesheet
through a URL w/ <link type="text/css" rel="stylesheet" href… on my
page.

Is this safe?  Will it violate the security paradigm of my web-site?

I'm aware that extra text could be inserted with CSS alone, and indeed
elements could be removed (which is the whole point of me providing
such functionality), but anything else I should be aware of?

The spec, at http://www.w3.org/TR/html5/links.html#link-type-stylesheet,
doesn't seem to go much into same-origin/non-same-origin issues in
regards to CSS; I've asked this on SO,
http://stackoverflow.com/questions/16676106/is-it-safe-to-allow-to-embed-an-arbitrary-external-stylesheet-into-my-web-page,
but I don't seem to be getting an exact and definitive answer,
although it has been pointed out that some browsers (mostly MSIE as
per http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets)
allow JavaScript execution within the stylesheets, and also a
mention/reminder that CSS has a "url()" keyword/function (again
potentially exploitable and subject to JavaScript execution in old
MSIE versions).

Those documents don't really address my question, though:  could
malicious people insert links and non-text-non-images onto my site
through such a CSS, to benefit from my http referer and potentially
violate some checks, and, also with the apparent JavaScript-within-CSS
"loophole" in MSIE, would such JavaScript be executed in my domain's
origin, e.g. would it be able to read/write cookies and other some
such?

This issue stems from CSS, however, it turns out to be about
same-origin / DOM / JavaScript; however, since my site is
JavaScript-free, I guess my only venue for this question is the HTML5
WG.  :-)  I would appreciate clarifications on this matter.

Cheers,
Constantine.

Received on Tuesday, 21 May 2013 22:56:27 UTC