W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Daniel Glazman <daniel@glazman.org>
Date: Tue, 08 Dec 2009 10:42:48 +0100
Message-ID: <4B1E1F98.3070603@glazman.org>
To: Adam Barth <w3c@adambarth.com>
Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Adam Barth wrote:

>> 3. kill attribute selectors; will never happen, period.
> 
> Can you elaborate on this point?  Why is this off the table?

Because millions of people use it? Because millions of web sites
use it? Because the feature is absolutely needed by them and it's
not the right thing to do?

> I don't understand why that would help.  Wouldn't the attacker simply
> load their stylesheet in a non-sandboxed mode?

If the attacker has the ability to load in non-sandboxed mode, he/she
has the ability to (a) create a <link> or <style> element and then CSS
is the least problem since the attacker has access to the whole DOM
(b) be a man-in-between and replace a linked stylesheet by his/her own;
again, if he/she can do that, targetting JS is a much better option.

</Daniel>
Received on Tuesday, 8 December 2009 09:43:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT