- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Fri, 15 Jul 2011 16:39:12 +1200
- To: Alan Gresley <alan@css-class.com>
- Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, www-style list <www-style@w3.org>
Received on Friday, 15 July 2011 04:39:43 UTC
On Fri, Jul 15, 2011 at 4:12 PM, Alan Gresley <alan@css-class.com> wrote:
> What about element(). Does it have same-origin restrictions?
>
> Evil document has this CSS and HTML.
>
>
> div {
> background: element(http://goodbank.com/**foo.html#header<http://goodbank.com/foo.html#header>
> );
> }
>
> button, input {
> color: transparent;
> background: transparent;
> border-color: transparent;
> position: /* where appropriate */
> }
>
> <div>
> <input />
> <input />
> <button />
> ......
> <div>
We actually would impose a same-origin restriction there, but only because
we load element() resources through the SVG external resource mechanism,
which we impose same-origin restrictions on for various reasons.
But the evil behavior you're describing can already be done today, either by
placing an <iframe src="http://goodback.com/..."> under other content in the
attacker's Web page, or often just by the attacker faking the bank's look on
their own server.
Rob
--
"If we claim to be without sin, we deceive ourselves and the truth is not in
us. If we confess our sins, he is faithful and just and will forgive us our
sins and purify us from all unrighteousness. If we claim we have not sinned,
we make him out to be a liar and his word is not in us." [1 John 1:8-10]
Received on Friday, 15 July 2011 04:39:43 UTC