W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Tue, 8 Dec 2009 07:46:20 +0800
Message-ID: <8ba534860912071546h76773957x953d7585c295487@mail.gmail.com>
To: Daniel Glazman <daniel@glazman.org>
Cc: public-web-security@w3.org
we=me+the people that asked.

and the example just demonstrate the fact that you can read atributes..
check the references for working examples ;)

if you (meaning Daniel) think it shouldnt be fixed I think it's ok (since so
many people implemented that silly idea of powerfull selectors..).. after
all.. I love hacking! I am waiting eagerly for the first real world attack
that exploits this feature.. and making XSS without javascript a reality.

greetings!

-- Sent from my cellphone.

On Dec 8, 2009 5:43 AM, "Daniel Glazman" <daniel@glazman.org> wrote:

sird@rckc.at wrote: > a[href$=.pdf]::before{content:url(pdficon.gif)} > >
And it rocks, it really r...
"we"? Who's that "we"? In the World Wide Web Consortium, that "we"
is the Community on one hand, the W3C Membership (including browser
vendors) on the other.
So yes, "we" wanted to add that ability to CSS.

> I mean, imho, :visited selectors should have been vanished from CSS3.. but
> well..
I think the "we" I mentioned above VERY strongly disagrees with you
here.

</Daniel>
Received on Monday, 7 December 2009 23:47:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT