2009/12/8 Daniel Glazman <daniel@glazman.org> > If the attacker has the ability to load in non-sandboxed mode, he/she > has the ability to (a) create a <link> or <style> element and then CSS > is the least problem since the attacker has access to the whole DOM > (b) be a man-in-between and replace a linked stylesheet by his/her own; > again, if he/she can do that, targetting JS is a much better option. Daniel that's the point. The site is assumed safe from XSS but allows CSS and those selectors and it assumes they are safe.
Received on Tuesday, 8 December 2009 09:53:15 UTC