- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Thu, 20 Sep 2012 18:34:24 +0000
- To: Adam Barth <w3c@adambarth.com>, Boris Zbarsky <bzbarsky@mit.edu>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
> > 2) Phishing. If an attacker can inject elements into a page with arbitrary style, > the attacker can completely change the appearance of the page and, for > example, make the page show a login screen. This attack is more powerful > than a traditional phishing attack because the browser's location bar will still > show the URL of the real web site (including any EV indicators or whatnot). > To mitigate this risk, we need to block both <style> and @style. > [Hill, Brad] Is this really an in-scope goal? It seems to me that phishing would actually be more effective if it re-used the existing styles available with the genuine content than if it tried to create new styles. I thought inline styles wore forbidden because they could be script-equivalents in some cases.
Received on Thursday, 20 September 2012 18:34:53 UTC