W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 09 Dec 2009 09:33:14 -0800
Cc: Aryeh Gregor <Simetrical+w3c@gmail.com>, public-web-security@w3.org
Message-id: <6C9E68AD-51E4-4A12-8962-6A4863FB6EC2@apple.com>
To: gaz Heyes <gazheyes@gmail.com>

On Dec 9, 2009, at 8:46 AM, gaz Heyes wrote:

> 2009/12/9 Aryeh Gregor <Simetrical+w3c@gmail.com>
> In particular, I would suggest that nothing ever be added to CSS that
> triggers access to remote resources but doesn't use url(), and is
> allowed in inline styles or doesn't have to be at the top of the
> stylesheet.  As far as I know, there are currently no such constructs
> that exist or are planned, so blacklisting the (a)-(c) that I gave
> should be safe.  Is this correct?  If so, does it sound like it's
> feasible to keep it safe?
>
> Namespaces allow remote resources without url()
> <http://www.w3.org/TR/css3-namespace/>

I don't see how? The use of URLs there is solely for purposes of  
defining XML namespaces, the URLs are never deferenced.

Regards,
Maciej
Received on Wednesday, 9 December 2009 17:33:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT