W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Dec 2009 01:30:37 -0800
Message-ID: <7789133a0912080130u267fc180ifcc8608b9be18861@mail.gmail.com>
To: Daniel Glazman <daniel@glazman.org>
Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Tue, Dec 8, 2009 at 1:23 AM, Daniel Glazman <daniel@glazman.org> wrote:
> 1. act at the injection level; make cross-linking of stylesheets
>   impossible. That would kill many web-based applications and I
>   certainly do not support that.

I'm not sure this would solve the problem given the existence of
inline style declarations.

> 2. make attribute selectors in cross-linked stylesheets fail or reply
>   silly things; ugly, not my choice, see 4 below

Again, this seems problematic because of inline style.

> 3. kill attribute selectors; will never happen, period.

Can you elaborate on this point?  Why is this off the table?

> 4. add a declarative option to <link> and <style> elements to say
>   the CSS parser should be in a "sandboxed" mode, dropping some
>   selectors, properties and values. From our CSS WG point of view,
>   it's almost a profile of CSS. That is doable modulo the fact
>   browser vendors accept to implement it; the way to do it is then
>   to write a spec detailing a "CSS Secure Profile" (that's your task
>   guys), have HTML add something to <link> and <style> for sandboxed
>   stylesheets, and finally pray a bit you'll see it implemented before
>   the end of the next decade.

I don't understand why that would help.  Wouldn't the attacker simply
load their stylesheet in a non-sandboxed mode?

Adam
Received on Tuesday, 8 December 2009 09:31:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT