On Monday 2014-07-07 15:18 -0400, Ehsan Akhgari wrote: > That seems pretty bad. I think we should at least stop supporting > it for Web content. David, what do you think?
I'm ok with restricting it to UA and user style sheets, although if we're going to do that because of security risks I'd like to get a good understanding of what those are and of what we do and don't expect authors to do when sanitizing CSS from untrusted sources to include in their Web content. I think it might make more sense to continue discussion in the bug. (I also think sending this out in the format of an intent-to-implement message was confusing for an initial proposal to do something that hadn't yet been discussed with any owners or peers of the module. I think the format is intended to say that a change has already been accepted by owners/peers but requires wider review.) -David > On 2014-07-07, 4:56 AM, Frederik Braun wrote: > >Summary: > > > >Attackers can extract secret URL components (e.g. session IDs, oauth > >tokens) using @-moz-document. Using the regexp support and assuming a > >CSS injection (no XSS needed!), the attacker can probe the current URL > >with some regular expressions and send the URL parameters to a third party. > > > >A demo of this exploit can be found at <http://html5sec.org/cssession/>. > >This attack has also been published in the academic paper "Scriptless > >Attacks: Stealing the pie without touching the sill"[1] by Mario > >Heiderich et al. and numerous other presentations on this topic [2,3]. > > > >My suggestion is to either kill -moz-document for public web content or > >remove regexp support. > > > > > >What do you think? > > > > > >Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1035091 > >Spec: n/a. This was pushed out of CSS3 and did not make it to CSS4 > >selectors. > >MDN: https://developer.mozilla.org/en-US/docs/Web/CSS/@document > >Target release: ?? > >Platform coverage: desktop, android > > > > > > > > > >[1] http://www.nds.rub.de/research/publications/scriptless-attacks/ > >[2] http://www.slideshare.net/x00mario/stealing-the-pie > >[3] https://speakerdeck.com/mikewest/xss-no-the-other-s-cssconf-eu-2013 > >_______________________________________________ > >dev-platform mailing list > >dev-platform@lists.mozilla.org > >https://lists.mozilla.org/listinfo/dev-platform > > -- 𝄞 L. David Baron http://dbaron.org/ 𝄂 𝄢 Mozilla https://www.mozilla.org/ 𝄂 Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914)
signature.asc
Description: Digital signature
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform