- From: Mike West <mkwst@google.com>
- Date: Thu, 20 Sep 2012 19:56:50 +0200
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Adam Barth <w3c@adambarth.com>, public-webappsec@w3.org
On Thu, Sep 20, 2012 at 7:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > For now. Until people add selectors to inline styles. There have been > several proposals for that. Hrm. That sounds weird. Link? I'm morbidly curious. :) > (On a side note, it's not clear to me how attribute selectors would lead > data typed into an <input>, unless the page has script stashing the data > into an attribute somewhere....) I just came across http://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf, which describes some interesting scriptless attack vectors. Section 3.1 bullet 3 and following has good detail on CSS3 in particular. -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Thursday, 20 September 2012 17:57:38 UTC