javascript – 包含外部CSS文件安全,还是可以导致代码注入?

前端之家收集整理的这篇文章主要介绍了javascript – 包含外部CSS文件安全,还是可以导致代码注入?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我正在开发一个客户将使用的网站,将其嵌入网站的iframe中.我想让他们能够自定义内容的样式,以便它们能够适应他们网站的样式.

我的基本想法是让他们给我一个CSS文件的URL,我应该包含在我提供给他们的页面中以填充iframe.据我所知这是安全的,但我不是特别熟悉CSS(特别是较新的版本),所以我想验证这一点.

有没有人可以构建一个CSS文件,让他们将代码注入我的网站或以其他方式访问我的域名的cookie?这真的很安全,还是我需要提出不同的解决方案?

最佳答案
不,它不安全.表达式和-moz-binding是通过CSS在某些浏览器上执行任意脚本执行的已知方法. LiveJournal遭受了非常公开的XSS攻击,这是由于JavaScript嵌入在用户提供的CSS中.

With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS,there is no other viable solution than the one we have undertaken.

Caja’s attack vector wiki开始:

Crafted CSS stylesheets can execute unsanitized javascript in the global scope on some browsers.

Background

CSS includes several mechanisms for changing the surrounding markup and executing expressions.

IE has an extension that allows execution of arbitrary javascript. The expression property is described at 07002

Using the power of dynamic properties,it is now possible to declare property values not only as constants,but also as formulas. … For scripting,a dynamic property can be any legal JScript or Microsoft Visual Basic Scripting Edition (VBScript) statement.
07003

binding allows binding to externally specified scripts
07004 & 07005

-moz-binding allows binding via the XML interface (also using data: URLs)

Assumptions

Untrusted code can generate style elements or style attributes or otherwise add arbitrary CSS rules and create DOM elements that trigger those rules.

Versions

IE 5 and later (but not IE 8 or later in “standards mode”).

Mozilla/Firefox,versions not known.

猜你在找的CSS相关文章