Re: Risks from CSS injection from gaz Heyes on 2009-12-08 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 20:17:24 +0000
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-ID: <252dd75b0912081217g13eb7757t9b7a08fa06c5f514@mail.gmail.com>

2009/12/8 Maciej Stachowiak <mjs@apple.com>

> I'd like to backpedal from this proposal for a second so I can understand
> the issue better. Are we worried about:
>
> A) Sites that voluntarily include untrusted CSS (such as user-provided)
> without filtering being exposed to data theft risk.
> B) Sites that have inadvertent CSS injection risk (but without the
> possibility of script injection) being exposed to data theft risk.
> C) Both.
>

My thoughts are that a site author whitelist so called safe css properties
like the selectors and background images and they are not vulnerable to XSS.
So CSS can have the same impact as XSS. I don't want to over hype this
vulnerability as it hasn't be exploited in the wild (to my knowledge). We
are just discussing the technical details and what is possible so it's up to
you guys if you think the risk is great enough

Received on Tuesday, 8 December 2009 20:18:04 UTC