Re: Seamless iframes + CSS3 selectors = bad idea from Maciej Stachowiak on 2009-12-06 (public-web-security@w3.org from December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 05 Dec 2009 18:17:04 -0800
To: Collin Jackson <w3c@collinjackson.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, Adam Barth <w3c@adambarth.com>, sird@rckc.at, public-web-security@w3.org
Message-id: <E6D744C0-CD5E-49A7-8834-6AF674FC367D@apple.com>

On Dec 5, 2009, at 12:43 PM, Collin Jackson wrote:

> On Sat, Dec 5, 2009 at 11:05 AM, Boris Zbarsky <bzbarsky@mit.edu>  
> wrote:
>> On 12/5/09 1:05 PM, Collin Jackson wrote:
>>> It seems like CSS3 is adding a lot of attack surface
>>
>> Maybe I'm missing something... what attack surface is being added  
>> here,
>> exactly?  Attribute selectors?
>
> Right. Attribute selectors that can read the values of input fields
> and send the result over the network.

An attribute selector on the value attribute can't read the actual  
value of an input field, only the default value.

Regards,
Maciej

Received on Sunday, 6 December 2009 02:17:46 UTC