W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Wed, 9 Dec 2009 12:19:21 -0500
Message-ID: <7c2a12e20912090919g7cec105ev935f4d6fcd927b59@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
On Wed, Dec 9, 2009 at 11:46 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> Namespaces allow remote resources without url()
> <http://www.w3.org/TR/css3-namespace/>

Where?  Namespace URIs normally wouldn't be fetched, would they?
Also, @namespace has to precede all valid rules, so (c) would prevent
it from being processed.

> CSS3 Attr() proposed functionality specifies url as an argument.

So you could do:

<span title="http://evil.com" style="background-image: attr(title, url)">

Clever.

> The ability
> to read and distribute any CSS property could be a problem too if you can
> interact with the value and another selector.

What do you mean by this?
Received on Wednesday, 9 December 2009 17:20:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT