- From: Devdatta <dev.akhawe@gmail.com>
- Date: Tue, 8 Dec 2009 12:21:48 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Daniel Glazman <daniel@glazman.org>, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
> This is quite a good overview of which email/web clients support which CSS > properties:- > <http://www.campaignmonitor.com/css/> This seems to say that everyone is doing some sort of black/white listing . Do you have examples of people allowing _arbitrary_ CSS but still (think) are safe ? Cheers Devdatta 2009/12/8 gaz Heyes <gazheyes@gmail.com>: > 2009/12/8 Devdatta <dev.akhawe@gmail.com> >> >> > >> > Daniel that's the point. The site is assumed safe from XSS but allows >> > CSS >> > and those selectors and it assumes they are safe. >> > >> >> Does anyone have any data to support that such sites do exist ? Viz. sites >> that >> * Disallow script injection >> * Allow arbitrary CSS injection (no whitelist/blacklist) >> * Aren't vulnerable to XSS. >> >> Maciej gave a few examples that clearly demonstrate how widely >> attribute selectors are used. We could do with some examples to show >> how the scenario we are talking about is actually widely prevalent. > > This is quite a good overview of which email/web clients support which CSS > properties:- > <http://www.campaignmonitor.com/css/> > > Myspace seemed to allow CSS selectors when sirdarckcat tested >
Received on Tuesday, 8 December 2009 20:22:48 UTC