W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 19:54:19 +0000
Message-ID: <252dd75b0912081154w4829608dvb37ae81230e607ca@mail.gmail.com>
To: Devdatta <dev.akhawe@gmail.com>
Cc: Daniel Glazman <daniel@glazman.org>, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
2009/12/8 Devdatta <dev.akhawe@gmail.com>

> >
> > Daniel that's the point. The site is assumed safe from XSS but allows CSS
> > and those selectors and it assumes they are safe.
> >
>
> Does anyone have any data to support that such sites do exist ? Viz. sites
> that
>   * Disallow script injection
>   * Allow arbitrary CSS injection (no whitelist/blacklist)
>   * Aren't vulnerable to XSS.
>
> Maciej gave a few examples that clearly demonstrate how widely
> attribute selectors are used. We could do with some examples to show
> how the scenario we are talking about is actually widely prevalent.
>

This is quite a good overview of which email/web clients support which CSS
properties:-
<http://www.campaignmonitor.com/css/>

Myspace seemed to allow CSS selectors when sirdarckcat tested
Received on Tuesday, 8 December 2009 19:54:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT