W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: James M Snell <jasnell@gmail.com>
Date: Mon, 2 Jun 2014 14:18:35 -0700
Message-ID: <CABP7RbcdXcNi-ca+qTPmDtgUndfz8tz=FeUiLLVRDasRBdeTsw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebApps WG <public-webapps@w3.org>, Giorgio Maone <g.maone@informaction.com>
Some initial informal testing shows that import links do make it through
the filters I have readily handy. It was quick work to write up some custom
filters, however.
On Jun 2, 2014 1:52 PM, "Boris Zbarsky" <bzbarsky@mit.edu> wrote:

> On 6/2/14, 4:21 PM, Giorgio Maone wrote:
>
>> I do hope any filter already blocked out <link> elements, as CSS has
>> been a XSS vector for a long time
>>
>
> <link> elements without "stylesheet" in rel don't load CSS, though.
>
> Hence the worries about blacklist vs whitelist...
>
> -Boris
>
>
Received on Monday, 2 June 2014 21:19:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC