W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Devdatta <dev.akhawe@gmail.com>
Date: Tue, 8 Dec 2009 11:10:04 -0800
Message-ID: <ecf35a1b0912081110g3883c2f6v72e6b3d82ad0d628@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Daniel Glazman <daniel@glazman.org>, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
>
> Daniel that's the point. The site is assumed safe from XSS but allows CSS
> and those selectors and it assumes they are safe.
>

Does anyone have any data to support that such sites do exist ? Viz. sites that
   * Disallow script injection
   * Allow arbitrary CSS injection (no whitelist/blacklist)
   * Aren't vulnerable to XSS.

Maciej gave a few examples that clearly demonstrate how widely
attribute selectors are used. We could do with some examples to show
how the scenario we are talking about is actually widely prevalent.

Cheers
devdatta


2009/12/8 gaz Heyes <gazheyes@gmail.com>:
>
>
> 2009/12/8 Daniel Glazman <daniel@glazman.org>
>>
>> If the attacker has the ability to load in non-sandboxed mode, he/she
>> has the ability to (a) create a <link> or <style> element and then CSS
>> is the least problem since the attacker has access to the whole DOM
>> (b) be a man-in-between and replace a linked stylesheet by his/her own;
>> again, if he/she can do that, targetting JS is a much better option.
>
> Daniel that's the point. The site is assumed safe from XSS but allows CSS
> and those selectors and it assumes they are safe.
>
Received on Tuesday, 8 December 2009 19:11:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT