W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 17:07:14 +0800
Message-ID: <8ba534860912080107q6be34a26wa3b0ee8ae8166536@mail.gmail.com>
To: Daniel Glazman <daniel@glazman.org>
Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Yeah, 11 years ago I was on elementary school.. sorry for not finding it
back then..

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 5:04 PM, Daniel Glazman <daniel@glazman.org> wrote:

> Thomas Roessler wrote:
>
>  Part of the community has been asking questions about the ever
>> growing expressive power of CSS (and its impact on Web security)
>> for a while now.  I strongly suggest taking that part of the
>> community seriously now, instead of facing problems later.
>>
>
> First the CSS WG members easily accept the fact they're not
> security experts. So we clearly rely on YOU guys.
> Second, :visited is more than 13 years old. Attribute selectors are 11
> years old. Both have been implemented and shipped by mainstream
> browsers for ages.
>
> And it's the CSS WG that takes problems late? Come on, give me
> a break. We make our specs just like any other WG. We call for
> comments and are all ears. But telling us that a 11 years old
> feature implemented in mozilla since march 2001 (I know the date
> because _I_ did it) is dangerous and should be removed because too
> powerful on the basis it can be injected seems to me insane. The problem
> here is injection or cross-site references, not CSS itself. If the idea
> is to make cross-linking of stylesheets impossible, I will strongly
> fight that proposal because of its major impact on web-based
> applications.
>
> gaz Heyes said it clearly, I quote: "The scenario is a web site allows
> user to place a external stylesheet". External and uncontrolled
> resources are dangerous, we all agree on that.
>
> </Daniel>
>
>
>
Received on Tuesday, 8 December 2009 09:08:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT