On Thursday 2010-06-03 22:44 +0200, Bjoern Hoehrmann wrote: > * Zack Weinberg wrote: > >Mozilla happens to treat the absence of a content-type, an unparseable > >content-type, and a handful of 'sentinel' values that are not > >*supposed* to appear on the wire (but nothing prevents this) as > >equivalent to text/css. However, CVE-2010-0654 (see > >https://bugzilla.mozilla.org/show_bug.cgi?id=524223 for extensive > >discussion) makes me think this is not a good idea. > > Do we know what browser vendors did exactly the last couple of times > this issue came up? I recall for instance CAN-2002-0191 in 2002 In 2002 we forbade cross-domain access to CSS style sheets through the object model (despite that the primary problem in that case was with CSSUnknownRule, which we didn't implement): https://bugzilla.mozilla.org/show_bug.cgi?id=135267 > and > <http://www.hacker.co.il/security/ie/css_import.html> in 2005. It is I'm having trouble telling from this how it differs from the 2002 issue. > mentioned in MS02-023 for example, but details are scarce. -David -- L. David Baron http://dbaron.org/ Mozilla Corporation http://www.mozilla.com/Received on Thursday, 3 June 2010 23:57:16 UTC
This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:13:47 UTC