Re: unsafe-inline for style-src

On Thu, Sep 20, 2012 at 11:04 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 9/20/12 1:56 PM, Mike West wrote:
>>
>> On Thu, Sep 20, 2012 at 7:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>>>
>>> For now.  Until people add selectors to inline styles.  There have been
>>> several proposals for that.
>>
>>
>> Hrm. That sounds weird.
>>
>> Link? I'm morbidly curious. :)
>
>
> I'd have to search... it was on the public-html or whatwg list.
>
>
>>> (On a side note, it's not clear to me how attribute selectors would lead
>>> data typed into an <input>, unless the page has script stashing the data
>>> into an attribute somewhere....)
>>
>>
>> I just came across
>>
>> http://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf,
>> which describes some interesting scriptless attack vectors. Section
>> 3.1 bullet 3 and following has good detail on CSS3 in particular.
>
>
> Sure.  There's all sorts of interesting stuff you can do with CSS, and I
> totally agree that you want to block it in many cases to avoid those things.
> My side note was very specifically about the quoted combination of
> "attribute selector" and "leak data typed into an <input>", because that
> part is non-obvious to me.

Maybe it only works for data that's been pre-filled into input@value ?
 I haven't tested this stuff in a while.

Adam

Received on Thursday, 20 September 2012 18:17:26 UTC