W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 09:52:33 +0000
Message-ID: <252dd75b0912080152i5880d96cua859f294b3068f7c@mail.gmail.com>
To: Daniel Glazman <daniel@glazman.org>
Cc: Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org 
2009/12/8 Daniel Glazman <daniel@glazman.org>

> If the attacker has the ability to load in non-sandboxed mode, he/she
> has the ability to (a) create a <link> or <style> element and then CSS
> is the least problem since the attacker has access to the whole DOM
> (b) be a man-in-between and replace a linked stylesheet by his/her own;
> again, if he/she can do that, targetting JS is a much better option.


Daniel that's the point. The site is assumed safe from XSS but allows CSS
and those selectors and it assumes they are safe.
Received on Tuesday, 8 December 2009 09:53:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT