Re: Seamless iframes + CSS3 selectors = bad idea

On Tue, Dec 8, 2009 at 1:04 AM, Daniel Glazman <daniel@glazman.org> wrote:
> Thomas Roessler wrote:
>> Part of the community has been asking questions about the ever
>> growing expressive power of CSS (and its impact on Web security)
>> for a while now.  I strongly suggest taking that part of the
>> community seriously now, instead of facing problems later.
>
> First the CSS WG members easily accept the fact they're not
> security experts. So we clearly rely on YOU guys.
> Second, :visited is more than 13 years old. Attribute selectors are 11
> years old. Both have been implemented and shipped by mainstream
> browsers for ages.
>
> And it's the CSS WG that takes problems late? Come on, give me
> a break. We make our specs just like any other WG. We call for
> comments and are all ears. But telling us that a 11 years old
> feature implemented in mozilla since march 2001 (I know the date
> because _I_ did it) is dangerous and should be removed because too
> powerful on the basis it can be injected seems to me insane. The problem
> here is injection or cross-site references, not CSS itself. If the idea
> is to make cross-linking of stylesheets impossible, I will strongly
> fight that proposal because of its major impact on web-based
> applications.

One of my favorite parts about security is that "the buck stops here,"
meaning finger-pointing about who's responsible for what doesn't
really matter.  In the end, we need to consider the security of the
system as a whole.

If you agree that we ought to do something about the threat of
stealing CSRF tokens with attribute selectors, then the question
becomes "what should we do?" not "who's responsible for the problem?"

So, what should we do?

Adam

Received on Tuesday, 8 December 2009 09:12:00 UTC