On Mon, Oct 19, 2009 at 6:43 AM, Johnathan Nightingale
<john...@mozilla.com> wrote:
> Not as limited as you might like. Remember that even apparently
> non-dangerous constructs (e.g. background-image, the :visited pseudo class)
> can give people power to do surprising things (e.g. internal network ping
> sweeping, user history enumeration respectively).

I'm not arguing for or against providing the ability to
block-inline-css, but keep in mind that an attacker can do all those
things as soon as you visit attacker.com.

There are many ways for the attacker to convince the user to visit
attacker.com.  In the past, I've found it helpful to simply assume the
user is always visiting attacker.com in some background tab.  After
all, Firefox is supposed to let you view untrusted web sites securely.

dev-security mailing list

Reply via email to