2009/12/8 Daniel Glazman <daniel@glazman.org>
> If the attacker has the ability to load in non-sandboxed mode, he/she
> has the ability to (a) create a <link> or <style> element and then CSS
> is the least problem since the attacker has access to the whole DOM
> (b) be a man-in-between and replace a linked stylesheet by his/her own;
> again, if he/she can do that, targetting JS is a much better option.
Daniel that's the point. The site is assumed safe from XSS but allows CSS
and those selectors and it assumes they are safe.