Re: Risks from CSS injection

2009/12/8 Maciej Stachowiak <mjs@apple.com>

> I'd like to backpedal from this proposal for a second so I can understand
> the issue better. Are we worried about:
>
> A) Sites that voluntarily include untrusted CSS (such as user-provided)
> without filtering being exposed to data theft risk.
> B) Sites that have inadvertent CSS injection risk (but without the
> possibility of script injection) being exposed to data theft risk.
> C) Both.
>

My thoughts are that a site author whitelist so called safe css properties
like the selectors and background images and they are not vulnerable to XSS.
So CSS can have the same impact as XSS. I don't want to over hype this
vulnerability as it hasn't be exploited in the wild (to my knowledge). We
are just discussing the technical details and what is possible so it's up to
you guys if you think the risk is great enough

Received on Tuesday, 8 December 2009 20:18:04 UTC