- From: Daniel Glazman <daniel@glazman.org>
- Date: Tue, 08 Dec 2009 10:23:08 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Adam Barth wrote:
> If you agree that we ought to do something about the threat of
> stealing CSRF tokens with attribute selectors, then the question
> becomes "what should we do?" not "who's responsible for the problem?"
>
> So, what should we do?
As I said, I am not the security guy.
From my naive point of view, there are three possibilities:
1. act at the injection level; make cross-linking of stylesheets
impossible. That would kill many web-based applications and I
certainly do not support that.
2. make attribute selectors in cross-linked stylesheets fail or reply
silly things; ugly, not my choice, see 4 below
3. kill attribute selectors; will never happen, period.
4. add a declarative option to <link> and <style> elements to say
the CSS parser should be in a "sandboxed" mode, dropping some
selectors, properties and values. From our CSS WG point of view,
it's almost a profile of CSS. That is doable modulo the fact
browser vendors accept to implement it; the way to do it is then
to write a spec detailing a "CSS Secure Profile" (that's your task
guys), have HTML add something to <link> and <style> for sandboxed
stylesheets, and finally pray a bit you'll see it implemented before
the end of the next decade.
</Daniel>
Received on Tuesday, 8 December 2009 09:23:40 UTC