是通过样式表的跨域攻击吗？ [英] Is a cross-domain attack via stylesheet possible?

问题描述

我需要为我的网络应用程序的用户创建的网页实现一个灵活的样式系统。

I need to implement a flexible styling system for web pages that are created by users of my web application.

理想情况下，我想允许他们使用CSS。是否以用户定义的网址链接到样式表坏主意？ 为什么？是否可以安全地做到这一点？

Ideally I would like to allow them to use CSS. Is linking to a style sheet at a user defined url a Bad Idea? Why? Is it possible to do this safely?

你的做法是什么？我试图避免建立一个风格的编辑器。虽然使用现成的可能是一个选项，建议吗？

What would your approach to this be? I am trying to avoid building a style 'editor'. Though using an off the shelf one might be an option, suggestions?

推荐答案

这是否安全？

Is it possible to do this safely?

取决于如何定义安全。外部样式表可以使事情看起来很丑陋，或者与现有的控制元素在网站上玩shenanigans。你将无法阻止，因为它是不可能检测到。 这里是一个很好的概述恶意的事情，可以这样做。

Depends on how you define "safely". An external style sheet could make things look ugly, or play shenanigans with existing control elements on the site. You won't be able to prevent that as it's going to be impossible to detect. Here is a nice overview of malicious things one can do that way.

另外，很明显，CSS可以通过设置 background-image 或类似的来触发对任何类型的URL的请求。浏览器会注意到该网址是否不是有效的图片资源，但请求总是会发生。这种方式，可以引发一个密码提示，网站的用户可能会错误自己的登录提示。

Also, obviously, CSS can trigger requests to any kind of URL by setting a background-image or similar. The browser will notice if the URL is not a valid image resource but the request will always happen. This way, one could provoke a password prompt to come up that the site's user may mistake for his own login prompt.

我不知道任何脚本通过CSS攻击矢量，虽然我很确定 IE的行为 可以是一个。我一定会剥离那些。

I'm not aware of any scripting attack vectors through CSS, although I'm pretty sure that IE's behavior could be one. I would definitely strip out those.

有一个关于Stack Overflow的相关问题，但接受的答案中指出的漏洞都不适用于纯外部样式表。

There is a related question on Stack Overflow but none of the vulnerabilities pointed out in the accepted answer works with pure external style sheets.

这篇关于是通过样式表的跨域攻击吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！