Re: HTML imports: new XSS hole? from James M Snell on 2014-06-02 (public-webapps@w3.org from April to June 2014)

From: James M Snell <jasnell@gmail.com>
Date: Mon, 2 Jun 2014 14:18:35 -0700
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebApps WG <public-webapps@w3.org>, Giorgio Maone <g.maone@informaction.com>
Message-ID: <CABP7RbcdXcNi-ca+qTPmDtgUndfz8tz=FeUiLLVRDasRBdeTsw@mail.gmail.com>

Some initial informal testing shows that import links do make it through
the filters I have readily handy. It was quick work to write up some custom
filters, however.
On Jun 2, 2014 1:52 PM, "Boris Zbarsky" <bzbarsky@mit.edu> wrote:

> On 6/2/14, 4:21 PM, Giorgio Maone wrote:
>
>> I do hope any filter already blocked out <link> elements, as CSS has
>> been a XSS vector for a long time
>>
>
> <link> elements without "stylesheet" in rel don't load CSS, though.
>
> Hence the worries about blacklist vs whitelist...
>
> -Boris
>
>

Received on Monday, 2 June 2014 21:19:02 UTC