W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 20 Sep 2012 11:40:05 -0700
Message-ID: <CAJE5ia_gEwpo0A9TKRi4zE-xvr=Q3BfyVXCtu9R0BGo7vyWNfg@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Sep 20, 2012 at 11:34 AM, Hill, Brad <bhill@paypal-inc.com> wrote:
>> 2) Phishing.  If an attacker can inject elements into a page with arbitrary style,
>> the attacker can completely change the appearance of the page and, for
>> example, make the page show a login screen.  This attack is more powerful
>> than a traditional phishing attack because the browser's location bar will still
>> show the URL of the real web site (including any EV indicators or whatnot).
>> To mitigate this risk, we need to block both <style> and @style.
>
> [Hill, Brad] Is this really an in-scope goal?
>
> It seems to me that phishing would actually be more effective if it re-used the existing styles available with the genuine content than if it tried to create new styles.

Typically an attacker will want to use position:absolute and wacky
z-index to position his or her content above the site's genuine
content.  It's possible that the page has styles lying around that
will do that, but most pages won't.

Adam
Received on Thursday, 20 September 2012 18:41:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 18:41:04 GMT