- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 8 Dec 2009 17:15:02 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Tue, Dec 8, 2009 at 10:54 AM, Maciej Stachowiak <mjs@apple.com> wrote: > Thus, any site doing voluntary injection of CSS must do whitelisting to be > safe. Any site with inadvertent CSS injection holes is already at great > risk. This I am not sure it is worth focusing on attribute selectors > specifically as a CSS-based attack vector. Am I missing anything here? You seem to be equating the severity of attacks the require user interaction with attacks that require no user interaction. Attacks that require no user interaction are at least an order of magnitude more severe. For example, click-through rates on advertisements are typically around 1%, so an attack that I can run in an advertisement's iframe is likely to be 100x more successful than one that requires the user to click on the ad. Adam
Received on Wednesday, 9 December 2009 01:16:08 UTC