W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 20:17:24 +0000
Message-ID: <252dd75b0912081217g13eb7757t9b7a08fa06c5f514@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
2009/12/8 Maciej Stachowiak <mjs@apple.com>

> I'd like to backpedal from this proposal for a second so I can understand
> the issue better. Are we worried about:
> A) Sites that voluntarily include untrusted CSS (such as user-provided)
> without filtering being exposed to data theft risk.
> B) Sites that have inadvertent CSS injection risk (but without the
> possibility of script injection) being exposed to data theft risk.
> C) Both.

My thoughts are that a site author whitelist so called safe css properties
like the selectors and background images and they are not vulnerable to XSS.
So CSS can have the same impact as XSS. I don't want to over hype this
vulnerability as it hasn't be exploited in the wild (to my knowledge). We
are just discussing the technical details and what is possible so it's up to
you guys if you think the risk is great enough
Received on Tuesday, 8 December 2009 20:18:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC