W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 20 Sep 2012 11:16:26 -0700
Message-ID: <CAJE5ia9_kJhUUCFViO9TwQc0FQqP5MW1mjS__z4fM8NLO0H+pg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Mike West <mkwst@google.com>, public-webappsec@w3.org
On Thu, Sep 20, 2012 at 11:04 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 9/20/12 1:56 PM, Mike West wrote:
>>
>> On Thu, Sep 20, 2012 at 7:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>>>
>>> For now.  Until people add selectors to inline styles.  There have been
>>> several proposals for that.
>>
>>
>> Hrm. That sounds weird.
>>
>> Link? I'm morbidly curious. :)
>
>
> I'd have to search... it was on the public-html or whatwg list.
>
>
>>> (On a side note, it's not clear to me how attribute selectors would lead
>>> data typed into an <input>, unless the page has script stashing the data
>>> into an attribute somewhere....)
>>
>>
>> I just came across
>>
>> http://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf,
>> which describes some interesting scriptless attack vectors. Section
>> 3.1 bullet 3 and following has good detail on CSS3 in particular.
>
>
> Sure.  There's all sorts of interesting stuff you can do with CSS, and I
> totally agree that you want to block it in many cases to avoid those things.
> My side note was very specifically about the quoted combination of
> "attribute selector" and "leak data typed into an <input>", because that
> part is non-obvious to me.

Maybe it only works for data that's been pre-filled into input@value ?
 I haven't tested this stuff in a while.

Adam
Received on Thursday, 20 September 2012 18:17:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 18:17:26 GMT