W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Sun, 6 Dec 2009 14:28:42 +0800
Message-ID: <8ba534860912052228g50649e11j21f8a52ac46826da@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: sird@rckc.at, public-web-security@w3.org
xss without css..

i dont know if some one else discovered this type of attacks before us on
bluehat last year.. but it doesnt matter.

its amazing that if it was known for so long untill now people are
considering the security ramirications of those new toys.

anyway.. i dont want to rant about this..


On Dec 6, 2009 2:17 PM, "Ian Hickson" <ian@hixie.ch> wrote:

On Fri, 4 Dec 2009, Eduardo Vela wrote: > > I sincerely understand why
people want seamless iframes ...

> What I see with those awesome CSS3 selectors such as: > >
How is the attacker inserting CSS into the page, in this scenario?

I agree that if an attacker can insert CSS into a victim page, that
numerous information retrieval attacks are possible (though not currently
a password attack, as Maciej mentioned). However, this has long been
known, it doesn't seem to be a new problem.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 06:29:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC