Re: Risks from CSS injection from gaz Heyes on 2009-12-09 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 9 Dec 2009 19:30:06 +0000
To: Aryeh Gregor <Simetrical+w3c@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <252dd75b0912091130v2a04293al9f5104cb94da150e@mail.gmail.com>

2009/12/9 Aryeh Gregor <Simetrical+w3c@gmail.com<Simetrical%2Bw3c@gmail.com>
>

> On Wed, Dec 9, 2009 at 11:46 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> > Namespaces allow remote resources without url()
> > <http://www.w3.org/TR/css3-namespace/>
>
> Where?  Namespace URIs normally wouldn't be fetched, would they?
> Also, @namespace has to precede all valid rules, so (c) would prevent
> it from being processed.
>

Ah ok I thought the url would be fetched my mistake:-

@namespace "http://example.com/foo";

> The ability

> > to read and distribute any CSS property could be a problem too if you can
> > interact with the value and another selector.
>
> What do you mean by this?
>

So you may think that getting the width is ok, right? Here I use the width
as a reference to the letter:-

input[value*="a"] {
 width:0;
}
input[width="0"] {
 background:attr(width, url);
}
input[value*="b"] {
 width:1;
}
input[width="1"] {
 background:attr(width, url);
}

Received on Wednesday, 9 December 2009 19:30:46 UTC