Re: Risks from CSS injection from gaz Heyes on 2009-12-09 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 9 Dec 2009 16:46:42 +0000
To: Aryeh Gregor <Simetrical+w3c@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <252dd75b0912090846n76b1064etd46969dd5a59d420@mail.gmail.com>

2009/12/9 Aryeh Gregor <Simetrical+w3c@gmail.com<Simetrical%2Bw3c@gmail.com>
>

> In particular, I would suggest that nothing ever be added to CSS that
> triggers access to remote resources but doesn't use url(), and is
> allowed in inline styles or doesn't have to be at the top of the
> stylesheet.  As far as I know, there are currently no such constructs
> that exist or are planned, so blacklisting the (a)-(c) that I gave
> should be safe.  Is this correct?  If so, does it sound like it's
> feasible to keep it safe?
>

Namespaces allow remote resources without url()
<http://www.w3.org/TR/css3-namespace/>

CSS3 Attr() proposed functionality specifies url as an argument. The ability
to read and distribute any CSS property could be a problem too if you can
interact with the value and another selector.

Received on Wednesday, 9 December 2009 16:47:23 UTC