- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 20 Sep 2012 14:04:21 -0400
- To: Mike West <mkwst@google.com>
- CC: Adam Barth <w3c@adambarth.com>, public-webappsec@w3.org
On 9/20/12 1:56 PM, Mike West wrote: > On Thu, Sep 20, 2012 at 7:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >> For now. Until people add selectors to inline styles. There have been >> several proposals for that. > > Hrm. That sounds weird. > > Link? I'm morbidly curious. :) I'd have to search... it was on the public-html or whatwg list. >> (On a side note, it's not clear to me how attribute selectors would lead >> data typed into an <input>, unless the page has script stashing the data >> into an attribute somewhere....) > > I just came across > http://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf, > which describes some interesting scriptless attack vectors. Section > 3.1 bullet 3 and following has good detail on CSS3 in particular. Sure. There's all sorts of interesting stuff you can do with CSS, and I totally agree that you want to block it in many cases to avoid those things. My side note was very specifically about the quoted combination of "attribute selector" and "leak data typed into an <input>", because that part is non-obvious to me. -Boris
Received on Thursday, 20 September 2012 18:04:51 UTC