Abstract
Cascading Style Sheets (CSS) is a language that defines the presentation of a document. CSS can also be used with most markup languages, including XUL and SVG, and with practically any XML document that supports style sheets. CSS has been a fundamental part of the Web stack for the past couple of years, and like other technologies, it presents several security challenges. This chapter discusses how the extra functionality given to CSS, such as the ability to read the visited state of a page, CSS expressions, CSS attribute selectors, and UI appearance manipulation, can be used to affect the privacy and security of information. A variety of CSS based attacks are reviewed and a couple of syntax bugs that may allow users to obfuscate attacks at a higher level of complexity are discussed. The process of how several types of attack vectors, which may not require the use of JavaScript or any other scripting language, are created. CSS syntax and parsing rules are also different from JavaScript and HTML, in that CSS combines the passive security origin but with elements that can define the origin as the CSS hosting site (as in HTML). And with its very permissive parsing and the cross-domain nature of remote style sheets, CSS also allows information leakage and cross-browser parsing compatibility problems that introduce security vulnerabilities. It is important to note that CSS3 is still a work in progress, and some elements may change.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
