W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Devdatta <dev.akhawe@gmail.com>
Date: Tue, 8 Dec 2009 12:21:48 -0800
Message-ID: <ecf35a1b0912081221v664f4b5ch5b345529308579d8@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Daniel Glazman <daniel@glazman.org>, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
> This is quite a good overview of which email/web clients support which CSS
> properties:-
> <http://www.campaignmonitor.com/css/>

This seems to say that everyone is doing some sort of black/white
listing . Do you have examples of people allowing _arbitrary_ CSS but
still (think) are safe ?


Cheers
Devdatta


2009/12/8 gaz Heyes <gazheyes@gmail.com>:
> 2009/12/8 Devdatta <dev.akhawe@gmail.com>
>>
>> >
>> > Daniel that's the point. The site is assumed safe from XSS but allows
>> > CSS
>> > and those selectors and it assumes they are safe.
>> >
>>
>> Does anyone have any data to support that such sites do exist ? Viz. sites
>> that
>>   * Disallow script injection
>>   * Allow arbitrary CSS injection (no whitelist/blacklist)
>>   * Aren't vulnerable to XSS.
>>
>> Maciej gave a few examples that clearly demonstrate how widely
>> attribute selectors are used. We could do with some examples to show
>> how the scenario we are talking about is actually widely prevalent.
>
> This is quite a good overview of which email/web clients support which CSS
> properties:-
> <http://www.campaignmonitor.com/css/>
>
> Myspace seemed to allow CSS selectors when sirdarckcat tested
>
Received on Tuesday, 8 December 2009 20:22:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT