2009/12/8 Adam Barth <w3c@adambarth.com>
> One of my favorite parts about security is that "the buck stops here,"
> meaning finger-pointing about who's responsible for what doesn't
> really matter. In the end, we need to consider the security of the
> system as a whole.
>
> If you agree that we ought to do something about the threat of
> stealing CSRF tokens with attribute selectors, then the question
> becomes "what should we do?" not "who's responsible for the problem?"
>
> So, what should we do?
>
One possible solution would be to ignore hidden field types and password
field types when using selectors. So for example:-
<style>
input[value*="a"]#token {
/*
Any rules are disabled or limited as the field type is hidden
*/
}
</style>
<input type=hidden id=token value=supersecret>