W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Daniel Glazman <daniel@glazman.org>
Date: Tue, 08 Dec 2009 10:04:03 +0100
Message-ID: <4B1E1683.1070803@glazman.org>
To: Thomas Roessler <tlr@w3.org>
Cc: public-web-security@w3.org
Thomas Roessler wrote:

> Part of the community has been asking questions about the ever
> growing expressive power of CSS (and its impact on Web security)
> for a while now.  I strongly suggest taking that part of the
> community seriously now, instead of facing problems later.

First the CSS WG members easily accept the fact they're not
security experts. So we clearly rely on YOU guys.
Second, :visited is more than 13 years old. Attribute selectors are 11
years old. Both have been implemented and shipped by mainstream
browsers for ages.

And it's the CSS WG that takes problems late? Come on, give me
a break. We make our specs just like any other WG. We call for
comments and are all ears. But telling us that a 11 years old
feature implemented in mozilla since march 2001 (I know the date
because _I_ did it) is dangerous and should be removed because too
powerful on the basis it can be injected seems to me insane. The problem
here is injection or cross-site references, not CSS itself. If the idea
is to make cross-linking of stylesheets impossible, I will strongly
fight that proposal because of its major impact on web-based
applications.

gaz Heyes said it clearly, I quote: "The scenario is a web site allows
user to place a external stylesheet". External and uncontrolled
resources are dangerous, we all agree on that.

</Daniel>
Received on Tuesday, 8 December 2009 09:04:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT