On 19-Oct-09, at 7:34 AM, Gervase Markham wrote:
On 15/10/09 22:20, Brandon Sterne wrote:
IOW, we need to decide if webpage defacement via injected style is in
the treat model for CSP and, if so, then we need to do B.
Is it just about defacement, or is it also about the fact that CSS
can bring in behaviours etc?
If it's about defacement, then there's no set of "non-dangerous
stylesheet constructs", and you can ignore my C. I think that,
without executing JS code support, the successful attacks you could
mount using CSS are limited. I guess you might put a notice on the
bank website: "Urgent! Call this number and give them all your
Not as limited as you might like. Remember that even apparently non-
dangerous constructs (e.g. background-image, the :visited pseudo
class) can give people power to do surprising things (e.g. internal
network ping sweeping, user history enumeration respectively).
dev-security mailing list