Simon Willison’s Weblog

Blogmarks tagged css, security

Filters: Type: blogmark × css × security ×

Plugging the CSS History Leak (via) Firefox is fixing the nefarious CSS visited link colour history leak flaw, which currently affects all browsers and allows a malicious site to determine if you have visited a specific site by checking getComputedStyle against a link to that page. It’s an obtrusive but necessary fix—visited link styles will be restricted to colour and border styles (no background images and hence no more checkbox effects since the image request could leak information) and those colours will not be reported via getComputedStyle. I hope other browser vendors follow suit. # 31st March 2010, 8:01 pm

MySpace: Too Much of a Good Thing? CSS customization really was just the result of forgetting to strip HTML. They “eventually” decided to filter out JavaScript(!) # 17th January 2007, 9:09 am

Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property. # 22nd January 2006, 9:37 pm

Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS. # 15th February 2005, 7:04 pm

Background Images Security Flaw? Styling :visited links can reveal a user’s browser history. # 24th May 2004, 8:24 pm