- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 20 Sep 2012 11:16:26 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Mike West <mkwst@google.com>, public-webappsec@w3.org
On Thu, Sep 20, 2012 at 11:04 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 9/20/12 1:56 PM, Mike West wrote: >> >> On Thu, Sep 20, 2012 at 7:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >>> >>> For now. Until people add selectors to inline styles. There have been >>> several proposals for that. >> >> >> Hrm. That sounds weird. >> >> Link? I'm morbidly curious. :) > > > I'd have to search... it was on the public-html or whatwg list. > > >>> (On a side note, it's not clear to me how attribute selectors would lead >>> data typed into an <input>, unless the page has script stashing the data >>> into an attribute somewhere....) >> >> >> I just came across >> >> http://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf, >> which describes some interesting scriptless attack vectors. Section >> 3.1 bullet 3 and following has good detail on CSS3 in particular. > > > Sure. There's all sorts of interesting stuff you can do with CSS, and I > totally agree that you want to block it in many cases to avoid those things. > My side note was very specifically about the quoted combination of > "attribute selector" and "leak data typed into an <input>", because that > part is non-obvious to me. Maybe it only works for data that's been pre-filled into input@value ? I haven't tested this stuff in a while. Adam
Received on Thursday, 20 September 2012 18:17:26 UTC