On 19-Oct-09, at 7:34 AM, Gervase Markham wrote:
On 15/10/09 22:20, Brandon Sterne wrote:
IOW, we need to decide if webpage defacement via injected style is in
the treat model for CSP and, if so, then we need to do B.

Is it just about defacement, or is it also about the fact that CSS can bring in behaviours etc?

If it's about defacement, then there's no set of "non-dangerous stylesheet constructs", and you can ignore my C. I think that, without executing JS code support, the successful attacks you could mount using CSS are limited. I guess you might put a notice on the bank website: "Urgent! Call this number and give them all your personal info!"...

Not as limited as you might like. Remember that even apparently non- dangerous constructs (e.g. background-image, the :visited pseudo class) can give people power to do surprising things (e.g. internal network ping sweeping, user history enumeration respectively).


Johnathan Nightingale
Human Shield

dev-security mailing list

Reply via email to