[Ur] Supporting 'style' attribute securely
Adam Chlipala
adamc at impredicative.com
Sun Apr 15 13:40:52 EDT 2012
Marc Weber wrote:
> So what are people looking for?
> For a CSS parser built into the urweb compiler which recognizes valid
> links and checks them against a valid list of links which may be used
> for CSS ? Then injection attacks would be impossible because
> putting arbitrary CSS code from a database into style attributes would
> be rejected because it can't be parsed at runtime?
URL's are an abstract datatype in Ur/Web, with a clearly defined policy
for which URL's are allowed. I don't want to allow style code to
include URL's that the policy rejects.
The canonical example to avoid is "javascript:" URL's, which clearly
allow code injection, though I don't know to what extent browsers will
actually run JavaScript code introduced through CSS. My concerns are
primarily about code injection, not "information leakage."
> Oh last but not least: URLs in stiles (with hex something decoding) is
> used to speed up loading of pages as well because no additional small
> icons have to be fetched adding yet another round trip..
Then those URL's should be whitelisted in a .urp file.
More information about the Ur
mailing list