On Mon, Oct 19, 2009 at 6:43 AM, Johnathan Nightingale <john...@mozilla.com> wrote: > Not as limited as you might like. Remember that even apparently > non-dangerous constructs (e.g. background-image, the :visited pseudo class) > can give people power to do surprising things (e.g. internal network ping > sweeping, user history enumeration respectively).
I'm not arguing for or against providing the ability to block-inline-css, but keep in mind that an attacker can do all those things as soon as you visit attacker.com. There are many ways for the attacker to convince the user to visit attacker.com. In the past, I've found it helpful to simply assume the user is always visiting attacker.com in some background tab. After all, Firefox is supposed to let you view untrusted web sites securely. Adam _______________________________________________ dev-security mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security