解决方法
从
browser security handbook
The risk of JavaScript execution. As a little-known feature,some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(…) directive,which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url(‘javascript:…’) directive on properties that support it; or by invoking browser-specific features such as the 07001.
…和阅读后,我发现这在StackOverflow。见Using Javascript in CSS
在Firefox中,您可以使用XBL通过CSS在页面中插入JavaScript。但是,XBL文件必须位于相同的域中,现在为bug 324253 is fixed。
还有一个有趣的(虽然不同于你的问题)的方式来滥用CSS。参见http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html.实质上,你滥用CSS解析器从不同的域中窃取内容。