W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

javascript URIs on stylesheets/redirections

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Mon, 7 Dec 2009 13:31:06 +0800
Message-ID: <8ba534860912062131u70a05939g68490327c0c8db4e@mail.gmail.com>
To: public-web-security@w3.org


It says:
If a script is a javascript: URL in a style sheet
    The owner is the URL of the style sheet.

That means javascript URIs will be allowed?

And.. are you aware that CSS doesn't hard-fail? (I mean.. it's not like JS
that will exit at the first syntax error).

something lilke:

  <!doctype html5>
  <a href="
http://www.example.com/}body{background-image:url(javascript:alert('who am

can be interpreted as a stylesheet..
<link href="http://www.google.com/search?for=something">

and execute the CSS, and according to that spec.. with www.google.com as
it's origin.. that's super dangerous!

This is a PoC (without the actual unimplemented xss):

Just change the http;// with javascript (for when this get's implemented)
and you've got a cool nice UXSS..

The second one:
If a script is a javascript: URL that was returned as the location of an
HTTP redirect (or equivalent in other protocols)
    The owner is the URL that redirected to the javascript: URL.

This is NOT happening as of right now.. on any browser afaik. you can try!

And preview: http://preview.tinyurl.com/jsredirect

The only "redirect" that executes JS are Refresh (via headers or meta).. but
I wouldn't consider them an HTTP redirect.. per se..

I haven't reviewed the whole spec, but this stuff is disappointing..

-- Eduardo

Sent from Hangzhou, 33, China
Received on Monday, 7 December 2009 05:32:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC