W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Collin Jackson <w3c@collinjackson.com>
Date: Sat, 5 Dec 2009 12:43:24 -0800
Message-ID: <986207e70912051243s692be032m6f853b15aecaf032@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Adam Barth <w3c@adambarth.com>, sird@rckc.at, public-web-security@w3.org
On Sat, Dec 5, 2009 at 11:05 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 12/5/09 1:05 PM, Collin Jackson wrote:
>> It seems like CSS3 is adding a lot of attack surface
> Maybe I'm missing something... what attack surface is being added here,
> exactly?  Attribute selectors?

Right. Attribute selectors that can read the values of input fields
and send the result over the network.

Injection of malicious style rules ("cross-site styling" if you like)
without attribute selectors is still dangerous, but may require more
social engineering to get private data, especially if the attacker
can't inject arbitrary HTML elements.

To be clear -- I'm not advocating to kill browser support for
attribute selectors, just arguing that the existence of attribute
selectors isn't a reason to kill seamless.

Received on Saturday, 5 December 2009 20:44:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC