- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 4 Feb 2012 09:52:21 -0800
On Fri, Feb 3, 2012 at 10:47 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 2/3/12 11:15 PM, Ian Hickson wrote: >> >> No, I agree with you that if the author is using HTTP styles on their >> HTTPS page that an attacker could screw with the page. But my point is >> that fixing that is easy: just move the styles to HTTPS. In the case of >> scripts it's not that easy because the scripts might be on third-party >> servers > > Styles are also commonly found on third-party servers... > >> in complicated setups > > Likewise. > > But yeah, I'd love to hear from Adam here. I've somewhat lost track of this thread. If you're asking about how dangerous it is to include HTTP styles in an HTTPS page, it's less dangerous than script but more dangerous than images. Chrome classifies styles as "active mixed content", which has a number of effects, including triggering scarier UI. One way to think about insecure styles is to imagine they let the attacker completely control the appearance of the page (this is actually not that far from the truth). There are many pages where controlling their appearance is almost as good as injecting script into them. For example, you can convince the user to type their password into a text field that is actually a direct message to the attacker, etc. Adam
Received on Saturday, 4 February 2012 09:52:21 UTC