W3C home > Mailing lists > Public > www-style@w3.org > June 2010

Re: [css2.1] Handling of style sheets with no MIME type, or an unparseable MIME type

From: Zack Weinberg <zweinberg@mozilla.com>
Date: Thu, 3 Jun 2010 13:10:31 -0700
To: W3C Emailing list for WWW Style <www-style@w3.org>
Message-ID: <20100603131031.3675ad95@moxana.local>
Zack Weinberg <zweinberg@mozilla.com> wrote:

> Mozilla happens to treat the absence of a content-type, an unparseable
> content-type, and a handful of 'sentinel' values that are not
> *supposed* to appear on the wire (but nothing prevents this) as
> equivalent to text/css.  However, CVE-2010-0654 (see
> https://bugzilla.mozilla.org/show_bug.cgi?id=524223 for extensive
> discussion) makes me think this is not a good idea.

I should be less telegraphic.  The attack in CVE-2010-0654 uses the
forward-compatible parsing algorithm to extract information from a
document that is not CSS (usually it would be HTML) bypassing
cross-origin restrictions.  We (browser vendors) have good ways to
block this attack as long as the server being attacked does label
everything correctly.  However, in real life things don't get labeled
correctly, and in particular I suspect there's still an awful lot of
HTML being served with no content-type header at all. Thus, if the CSS
parser treats the absence of content-type as equivalent to content-type
text/css, that's a pretty big loophole for the attack.

zw
Received on Thursday, 3 June 2010 20:11:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:28 GMT