Re: Allowing 3rd party CSS sheets loading in my content?

["Joris Lambrecht" <jl_post () telenet be>]

imho No change on the website is required, most browsers support this as an option in the configuration/preferences.

But also, supporting different stylesheets on the server/scripting side could indeed contain a security risk. RTFM 
carefully and verify your server is not set for 'invitation'-mode.

> ----- Oorspronkelijk bericht -----
> Van: JoJimJoe () netscape net [mailto:JoJimJoe () netscape net]
> Verzonden: donderdag, oktober 13, 2005 02:25 PM
> Aan: security-basics () securityfocus com
> Onderwerp: Allowing 3rd party CSS sheets loading in my content?
>
> Hi,
>
> I have a php script that allows those who use my site, to render some of my xml content as html on their own site.
>
> I'm getting a lot requests to allow them to pass a parameter so they can load a style sheet, to give it their own look
>
> essentially:
> script.php?style=http://theirsite.com/style.css
> which i'd put into
> <link href="http://theirsite.com/style.css"; etc >
>
> I'm concerned this is a security risk, that they can do more than just modify the look of the page, like some type of 
> XSS attack.
>
> This is all part of a link exchange, and it's important they not be able to do anything with cookies on my domain, or 
> make anything appear to be done under my domain by something tricky...
>
> thanks for your feedback
> Jim