Re: [csswg-drafts] [css-cascade-3] Add Security & Privacy appendix

I don't think Script Execution is a thing to worry about here; the worst a stylesheet can do is cause an existing defined-and-imported Houdini thing to be invoked more often that originally intended, but the page author still has to import that houdini-using thing into their page on their own, and presumably already intend to use it.

All the other bits are about loading an external sheet that didn't want to be loaded, and extracting its information from side channels; the page is the hostile actor. A hostile stylesheet can't load itself into an innocent page via any mechanism in Cascade; that relies on a failure somewhere else in the stack.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/620#issuecomment-411851729 using your GitHub account

Received on Thursday, 9 August 2018 18:24:05 UTC