W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Daniel Glazman <daniel@glazman.org>
Date: Tue, 08 Dec 2009 10:23:08 +0100
Message-ID: <4B1E1AFC.8020900@glazman.org>
To: Adam Barth <w3c@adambarth.com>
Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Adam Barth wrote:

> If you agree that we ought to do something about the threat of
> stealing CSRF tokens with attribute selectors, then the question
> becomes "what should we do?" not "who's responsible for the problem?"
> 
> So, what should we do?

As I said, I am not the security guy.
 From my naive point of view, there are three possibilities:

1. act at the injection level; make cross-linking of stylesheets
    impossible. That would kill many web-based applications and I
    certainly do not support that.

2. make attribute selectors in cross-linked stylesheets fail or reply
    silly things; ugly, not my choice, see 4 below

3. kill attribute selectors; will never happen, period.

4. add a declarative option to <link> and <style> elements to say
    the CSS parser should be in a "sandboxed" mode, dropping some
    selectors, properties and values. From our CSS WG point of view,
    it's almost a profile of CSS. That is doable modulo the fact
    browser vendors accept to implement it; the way to do it is then
    to write a spec detailing a "CSS Secure Profile" (that's your task
    guys), have HTML add something to <link> and <style> for sandboxed
    stylesheets, and finally pray a bit you'll see it implemented before
    the end of the next decade.

</Daniel>
Received on Tuesday, 8 December 2009 09:23:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT