Security Basics mailing list archives
Re: Allowing 3rd party CSS sheets loading in my content?
From: "Joris Lambrecht" <jl_post () telenet be>
Date: Fri, 14 Oct 2005 06:40:26 +0000
imho No change on the website is required, most browsers support this as an option in the configuration/preferences. But also, supporting different stylesheets on the server/scripting side could indeed contain a security risk. RTFM carefully and verify your server is not set for 'invitation'-mode.
----- Oorspronkelijk bericht ----- Van: JoJimJoe () netscape net [mailto:JoJimJoe () netscape net] Verzonden: donderdag, oktober 13, 2005 02:25 PM Aan: security-basics () securityfocus com Onderwerp: Allowing 3rd party CSS sheets loading in my content? Hi, I have a php script that allows those who use my site, to render some of my xml content as html on their own site. I'm getting a lot requests to allow them to pass a parameter so they can load a style sheet, to give it their own look essentially: script.php?style=http://theirsite.com/style.css which i'd put into <link href="http://theirsite.com/style.css" etc > I'm concerned this is a security risk, that they can do more than just modify the look of the page, like some type of XSS attack. This is all part of a link exchange, and it's important they not be able to do anything with cookies on my domain, or make anything appear to be done under my domain by something tricky... thanks for your feedback Jim
Current thread:
- Allowing 3rd party CSS sheets loading in my content? JoJimJoe (Oct 13)
- Re: Allowing 3rd party CSS sheets loading in my content? Saqib Ali (Oct 14)
- <Possible follow-ups>
- Re: Allowing 3rd party CSS sheets loading in my content? Joris Lambrecht (Oct 14)