Re: Risks from CSS injection

2009/12/9 Aryeh Gregor <Simetrical+w3c@gmail.com<Simetrical%2Bw3c@gmail.com>
>

> In particular, I would suggest that nothing ever be added to CSS that
> triggers access to remote resources but doesn't use url(), and is
> allowed in inline styles or doesn't have to be at the top of the
> stylesheet.  As far as I know, there are currently no such constructs
> that exist or are planned, so blacklisting the (a)-(c) that I gave
> should be safe.  Is this correct?  If so, does it sound like it's
> feasible to keep it safe?
>

Namespaces allow remote resources without url()
<http://www.w3.org/TR/css3-namespace/>

CSS3 Attr() proposed functionality specifies url as an argument. The ability
to read and distribute any CSS property could be a problem too if you can
interact with the value and another selector.

Received on Wednesday, 9 December 2009 16:47:23 UTC