css - Is it safe to allow to embed an arbitrary external stylesheet into my web-page? -
i have dynamic web-page want other people embed web-pages, iframe
(not kind of more advanced techniques javascript).
instead of providing sorts of designs , styles myself, i'm thinking allowing them provide own stylesheet page through http parameter, , embed such external stylesheet through url w/ <link type="text/css" rel="stylesheet" href
… on page.
is safe? violate security paradigm of web-site? i'm aware text inserted css alone, , indeed elements removed (which whole point of me providing such functionality users), else should aware of?
could malicious people insert links onto site through such css, benefit http referer , potentially violate checks, or css insertion limited text?
in general case, no, allowing third-party css not safe. implementations allow javascript in css, means allowing users modify css allows them execute arbitrary javascript in context of page.
however, if meant sort of "white-label" page, appears part of site it's embedded in , fact it's page implementation detail, doesn't seem major concern. person specifying "third-party" css site owner, it's not third-party @ point — they're not going xss themselves!
but nobody else should ever putting css on page that's meant under control, because it's under control of whoever controlling css.
Comments
Post a Comment