- From: Zack Weinberg <zweinberg@mozilla.com>
- Date: Thu, 3 Jun 2010 13:10:31 -0700
- To: W3C Emailing list for WWW Style <www-style@w3.org>
Zack Weinberg <zweinberg@mozilla.com> wrote: > Mozilla happens to treat the absence of a content-type, an unparseable > content-type, and a handful of 'sentinel' values that are not > *supposed* to appear on the wire (but nothing prevents this) as > equivalent to text/css. However, CVE-2010-0654 (see > https://bugzilla.mozilla.org/show_bug.cgi?id=524223 for extensive > discussion) makes me think this is not a good idea. I should be less telegraphic. The attack in CVE-2010-0654 uses the forward-compatible parsing algorithm to extract information from a document that is not CSS (usually it would be HTML) bypassing cross-origin restrictions. We (browser vendors) have good ways to block this attack as long as the server being attacked does label everything correctly. However, in real life things don't get labeled correctly, and in particular I suspect there's still an awful lot of HTML being served with no content-type header at all. Thus, if the CSS parser treats the absence of content-type as equivalent to content-type text/css, that's a pretty big loophole for the attack. zw
Received on Thursday, 3 June 2010 20:11:08 UTC