javascript URIs on stylesheets/redirections

Here:
http://dev.w3.org/html5/spec/Overview.html#origin

2 comments.

It says:
If a script is a javascript: URL in a style sheet
    The owner is the URL of the style sheet.

That means javascript URIs will be allowed?

And.. are you aware that CSS doesn't hard-fail? (I mean.. it's not like JS
that will exit at the first syntax error).

something lilke:

http://www.google.com/search?for=something
  <!doctype html5>
  <html>
  ....
  <a href="
http://www.example.com/}body{background-image:url(javascript:alert('who am
I?'))}">link</a>

can be interpreted as a stylesheet..
<link href="http://www.google.com/search?for=something">

and execute the CSS, and according to that spec.. with www.google.com as
it's origin.. that's super dangerous!

This is a PoC (without the actual unimplemented xss):
http://attacker.sirdarckcat.net/xss.php?html_xss=%3Cstyle%3E@import%20url%28%27http://victim.sirdarckcat.net/xss.php?html_xss=}%250D%250Abody{background-image:url%28http://t0.gstatic.com/images?q=tbn:cOeIS9pmn6i8YM:http://epicfail/%29}%250D%250Ax{%27%29;%3C/style%3E

Just change the http;// with javascript (for when this get's implemented)
and you've got a cool nice UXSS..

The second one:
If a script is a javascript: URL that was returned as the location of an
HTTP redirect (or equivalent in other protocols)
    The owner is the URL that redirected to the javascript: URL.

This is NOT happening as of right now.. on any browser afaik. you can try!
http://tinyurl.com/jsredirect

And preview: http://preview.tinyurl.com/jsredirect

The only "redirect" that executes JS are Refresh (via headers or meta).. but
I wouldn't consider them an HTTP redirect.. per se..

I haven't reviewed the whole spec, but this stuff is disappointing..

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

Received on Monday, 7 December 2009 05:32:06 UTC