Re: Risks from CSS injection from Maciej Stachowiak on 2009-12-09 (public-web-security@w3.org from December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 09 Dec 2009 09:33:14 -0800
To: gaz Heyes <gazheyes@gmail.com>
Cc: Aryeh Gregor <Simetrical+w3c@gmail.com>, public-web-security@w3.org
Message-id: <6C9E68AD-51E4-4A12-8962-6A4863FB6EC2@apple.com>

On Dec 9, 2009, at 8:46 AM, gaz Heyes wrote:

> 2009/12/9 Aryeh Gregor <Simetrical+w3c@gmail.com>
> In particular, I would suggest that nothing ever be added to CSS that
> triggers access to remote resources but doesn't use url(), and is
> allowed in inline styles or doesn't have to be at the top of the
> stylesheet.  As far as I know, there are currently no such constructs
> that exist or are planned, so blacklisting the (a)-(c) that I gave
> should be safe.  Is this correct?  If so, does it sound like it's
> feasible to keep it safe?
>
> Namespaces allow remote resources without url()
> <http://www.w3.org/TR/css3-namespace/>

I don't see how? The use of URLs there is solely for purposes of  
defining XML namespaces, the URLs are never deferenced.

Regards,
Maciej

Received on Wednesday, 9 December 2009 17:33:55 UTC