- From: Devdatta <dev.akhawe@gmail.com>
- Date: Tue, 8 Dec 2009 11:10:04 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Daniel Glazman <daniel@glazman.org>, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
> > Daniel that's the point. The site is assumed safe from XSS but allows CSS > and those selectors and it assumes they are safe. > Does anyone have any data to support that such sites do exist ? Viz. sites that * Disallow script injection * Allow arbitrary CSS injection (no whitelist/blacklist) * Aren't vulnerable to XSS. Maciej gave a few examples that clearly demonstrate how widely attribute selectors are used. We could do with some examples to show how the scenario we are talking about is actually widely prevalent. Cheers devdatta 2009/12/8 gaz Heyes <gazheyes@gmail.com>: > > > 2009/12/8 Daniel Glazman <daniel@glazman.org> >> >> If the attacker has the ability to load in non-sandboxed mode, he/she >> has the ability to (a) create a <link> or <style> element and then CSS >> is the least problem since the attacker has access to the whole DOM >> (b) be a man-in-between and replace a linked stylesheet by his/her own; >> again, if he/she can do that, targetting JS is a much better option. > > Daniel that's the point. The site is assumed safe from XSS but allows CSS > and those selectors and it assumes they are safe. >
Received on Tuesday, 8 December 2009 19:11:04 UTC