Re: Allowing 3rd party CSS sheets loading in my content?
From: Joris Lambrecht (jl_post_at_telenet.be)
Date: 10/14/05
- Previous message: xyberpix: "Re: OS to know."
- Maybe in reply to: JoJimJoe_at_netscape.net: "Allowing 3rd party CSS sheets loading in my content?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: JoJimJoe@netscape.net, security-basics@securityfocus.com Date: Fri, 14 Oct 2005 06:40:26 +0000
imho No change on the website is required, most browsers support this as an option in the configuration/preferences.
But also, supporting different stylesheets on the server/scripting side could indeed contain a security risk. RTFM carefully and verify your server is not set for 'invitation'-mode.
>----- Oorspronkelijk bericht -----
>Van: JoJimJoe@netscape.net [mailto:JoJimJoe@netscape.net]
>Verzonden: donderdag, oktober 13, 2005 02:25 PM
>Aan: security-basics@securityfocus.com
>Onderwerp: Allowing 3rd party CSS sheets loading in my content?
>
>Hi,
>
>I have a php script that allows those who use my site, to render some of my xml content as html on their own site.
>
>I'm getting a lot requests to allow them to pass a parameter so they can load a style sheet, to give it their own look
>
>essentially:
>script.php?style=http://theirsite.com/style.css
>which i'd put into
><link href="http://theirsite.com/style.css" etc >
>
>I'm concerned this is a security risk, that they can do more than just modify the look of the page, like some type of XSS attack.
>
>This is all part of a link exchange, and it's important they not be able to do anything with cookies on my domain, or make anything appear to be done under my domain by something tricky...
>
>thanks for your feedback
>Jim
>
>
- Previous message: xyberpix: "Re: OS to know."
- Maybe in reply to: JoJimJoe_at_netscape.net: "Allowing 3rd party CSS sheets loading in my content?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
