Re: Allowing 3rd party CSS sheets loading in my content?

From: Joris Lambrecht (jl_post_at_telenet.be)
Date: 10/14/05

  • Next message: Peyman: "Re: Double authentication (User & Machine) with VPN SSL"
    To: JoJimJoe@netscape.net, security-basics@securityfocus.com
    Date: Fri, 14 Oct 2005 06:40:26 +0000
    
    

    imho No change on the website is required, most browsers support this as an option in the configuration/preferences.

    But also, supporting different stylesheets on the server/scripting side could indeed contain a security risk. RTFM carefully and verify your server is not set for 'invitation'-mode.

    >----- Oorspronkelijk bericht -----
    >Van: JoJimJoe@netscape.net [mailto:JoJimJoe@netscape.net]
    >Verzonden: donderdag, oktober 13, 2005 02:25 PM
    >Aan: security-basics@securityfocus.com
    >Onderwerp: Allowing 3rd party CSS sheets loading in my content?
    >
    >Hi,
    >
    >I have a php script that allows those who use my site, to render some of my xml content as html on their own site.
    >
    >I'm getting a lot requests to allow them to pass a parameter so they can load a style sheet, to give it their own look
    >
    >essentially:
    >script.php?style=http://theirsite.com/style.css
    >which i'd put into
    ><link href="http://theirsite.com/style.css" etc >
    >
    >I'm concerned this is a security risk, that they can do more than just modify the look of the page, like some type of XSS attack.
    >
    >This is all part of a link exchange, and it's important they not be able to do anything with cookies on my domain, or make anything appear to be done under my domain by something tricky...
    >
    >thanks for your feedback
    >Jim
    >
    >


  • Next message: Peyman: "Re: Double authentication (User & Machine) with VPN SSL"