- From: Daniel Glazman <daniel@glazman.org>
- Date: Tue, 08 Dec 2009 10:42:48 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Adam Barth wrote: >> 3. kill attribute selectors; will never happen, period. > > Can you elaborate on this point? Why is this off the table? Because millions of people use it? Because millions of web sites use it? Because the feature is absolutely needed by them and it's not the right thing to do? > I don't understand why that would help. Wouldn't the attacker simply > load their stylesheet in a non-sandboxed mode? If the attacker has the ability to load in non-sandboxed mode, he/she has the ability to (a) create a <link> or <style> element and then CSS is the least problem since the attacker has access to the whole DOM (b) be a man-in-between and replace a linked stylesheet by his/her own; again, if he/she can do that, targetting JS is a much better option. </Daniel>
Received on Tuesday, 8 December 2009 09:43:21 UTC