W3C home > Mailing lists > Public > www-style@w3.org > June 2010

Re: [css2.1] Handling of style sheets with no MIME type, or an unparseable MIME type

From: L. David Baron <dbaron@dbaron.org>
Date: Thu, 3 Jun 2010 16:56:44 -0700
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Zack Weinberg <zweinberg@mozilla.com>, W3C Emailing list for WWW Style <www-style@w3.org>
Message-ID: <20100603235644.GA3291@pickering.dbaron.org>
On Thursday 2010-06-03 22:44 +0200, Bjoern Hoehrmann wrote:
> * Zack Weinberg wrote:
> >Mozilla happens to treat the absence of a content-type, an unparseable
> >content-type, and a handful of 'sentinel' values that are not
> >*supposed* to appear on the wire (but nothing prevents this) as
> >equivalent to text/css.  However, CVE-2010-0654 (see
> >https://bugzilla.mozilla.org/show_bug.cgi?id=524223 for extensive
> >discussion) makes me think this is not a good idea.
> 
> Do we know what browser vendors did exactly the last couple of times
> this issue came up? I recall for instance CAN-2002-0191 in 2002

In 2002 we forbade cross-domain access to CSS style sheets through
the object model (despite that the primary problem in that case was
with CSSUnknownRule, which we didn't implement):
https://bugzilla.mozilla.org/show_bug.cgi?id=135267

> and
> <http://www.hacker.co.il/security/ie/css_import.html> in 2005. It is

I'm having trouble telling from this how it differs from the 2002
issue.

> mentioned in MS02-023 for example, but details are scarce.

-David

-- 
L. David Baron                                 http://dbaron.org/
Mozilla Corporation                       http://www.mozilla.com/
Received on Thursday, 3 June 2010 23:57:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:28 GMT