W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 05 Dec 2009 18:17:04 -0800
Cc: Boris Zbarsky <bzbarsky@mit.edu>, Adam Barth <w3c@adambarth.com>, sird@rckc.at, public-web-security@w3.org
Message-id: <E6D744C0-CD5E-49A7-8834-6AF674FC367D@apple.com>
To: Collin Jackson <w3c@collinjackson.com>

On Dec 5, 2009, at 12:43 PM, Collin Jackson wrote:

> On Sat, Dec 5, 2009 at 11:05 AM, Boris Zbarsky <bzbarsky@mit.edu>  
> wrote:
>> On 12/5/09 1:05 PM, Collin Jackson wrote:
>>> It seems like CSS3 is adding a lot of attack surface
>>
>> Maybe I'm missing something... what attack surface is being added  
>> here,
>> exactly?  Attribute selectors?
>
> Right. Attribute selectors that can read the values of input fields
> and send the result over the network.

An attribute selector on the value attribute can't read the actual  
value of an input field, only the default value.

Regards,
Maciej
Received on Sunday, 6 December 2009 02:17:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT