W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 17:25:55 +0800
Message-ID: <8ba534860912060125k190b2828hfe9e6760c4cbd862@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: sird@rckc.at, Adam Barth <w3c@adambarth.com>, Maciej Stachowiak <mjs@apple.com>, public-web-security@w3.org
css is allowed on almost all sns..

also google docs.. emails. etc..

then maybe an informative note saying those selectors are dangerous would
help.

greetz!

On Dec 6, 2009 5:21 PM, "Ian Hickson" <ian@hixie.ch> wrote:

On Sat, 5 Dec 2009, Adam Barth wrote: > > I think you're missing the main
attack that sird's worried...
If you grant the assumption that the page has a faulty filter, IMHO it
becomes easy to have all kinds of vulnerabilities. That filters should
make sure the user can't insert arbitrary CSS is not new. Selectors and
expressions get more and more expressive with each year, but they pale in
comparison to the kind of deep analysis you can do to a page using XSLT
and XPath, for example. This is why filters should always whitelist only
features they consider safe.

--

Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U...
Received on Sunday, 6 December 2009 09:26:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT