W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Mike West <mkwst@google.com>
Date: Thu, 20 Sep 2012 19:56:50 +0200
Message-ID: <CAKXHy=fwy+_CVqx05518UCY_JNhsoeWhx2D4P4sNJ9q3KUpt6w@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Adam Barth <w3c@adambarth.com>, public-webappsec@w3.org
On Thu, Sep 20, 2012 at 7:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> For now.  Until people add selectors to inline styles.  There have been
> several proposals for that.

Hrm. That sounds weird.

Link? I'm morbidly curious. :)

> (On a side note, it's not clear to me how attribute selectors would lead
> data typed into an <input>, unless the page has script stashing the data
> into an attribute somewhere....)

I just came across
http://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf,
which describes some interesting scriptless attack vectors. Section
3.1 bullet 3 and following has good detail on CSS3 in particular.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Thursday, 20 September 2012 17:57:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 17:57:39 GMT