- From: Daniel Glazman <daniel@glazman.org>
- Date: Tue, 08 Dec 2009 20:10:38 +0100
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Maciej Stachowiak wrote: > 1) Arbitrarily move around elements on the page. > 2) Make any element invisible. > 3) Replace the visible contents of elements with chosen images or text. > 4) Overlay one element invisibly on top of another. > > Using these, you can make the "Delete Account" button look like a "Mail > me a Free Pony" button. This isn't even counting features like > -moz-binding or CSS expressions. > > Thus, any site doing voluntary injection of CSS must do whitelisting to > be safe. Any site with inadvertent CSS injection holes is already at > great risk. This I am not sure it is worth focusing on attribute > selectors specifically as a CSS-based attack vector. Am I missing > anything here? I don't think so. You covered most issues related to CSS if you except the following one : you can make an element almost invisible using the same color for background and foreground. </Daniel>
Received on Tuesday, 8 December 2009 19:11:10 UTC