W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 9 Dec 2009 16:46:42 +0000
Message-ID: <252dd75b0912090846n76b1064etd46969dd5a59d420@mail.gmail.com>
To: Aryeh Gregor <Simetrical+w3c@gmail.com>
Cc: public-web-security@w3.org
2009/12/9 Aryeh Gregor <Simetrical+w3c@gmail.com<Simetrical%2Bw3c@gmail.com>

> In particular, I would suggest that nothing ever be added to CSS that
> triggers access to remote resources but doesn't use url(), and is
> allowed in inline styles or doesn't have to be at the top of the
> stylesheet.  As far as I know, there are currently no such constructs
> that exist or are planned, so blacklisting the (a)-(c) that I gave
> should be safe.  Is this correct?  If so, does it sound like it's
> feasible to keep it safe?

Namespaces allow remote resources without url()

CSS3 Attr() proposed functionality specifies url as an argument. The ability
to read and distribute any CSS property could be a problem too if you can
interact with the value and another selector.
Received on Wednesday, 9 December 2009 16:47:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC