W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 05 Dec 2009 18:42:01 -0800
Cc: Collin Jackson <w3c@collinjackson.com>, Boris Zbarsky <bzbarsky@mit.edu>, Adam Barth <w3c@adambarth.com>, sird@rckc.at, public-web-security@w3.org
Message-id: <E66786F4-5773-4779-8C84-9C526C7FD68B@apple.com>
To: Maciej Stachowiak <mjs@apple.com>

On Dec 5, 2009, at 6:17 PM, Maciej Stachowiak wrote:

>
> On Dec 5, 2009, at 12:43 PM, Collin Jackson wrote:
>
>> On Sat, Dec 5, 2009 at 11:05 AM, Boris Zbarsky <bzbarsky@mit.edu>  
>> wrote:
>>> On 12/5/09 1:05 PM, Collin Jackson wrote:
>>>> It seems like CSS3 is adding a lot of attack surface
>>>
>>> Maybe I'm missing something... what attack surface is being added  
>>> here,
>>> exactly?  Attribute selectors?
>>
>> Right. Attribute selectors that can read the values of input fields
>> and send the result over the network.
>
> An attribute selector on the value attribute can't read the actual  
> value of an input field, only the default value.

To be fair though, while this won't help you learn anything about  
passwords, it could tell you about a CSRF-defense secret token that's  
embedded in the form via <input type="hidden" value="XXXXXX">.

Regards,
Maciej
Received on Sunday, 6 December 2009 02:42:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT