css - Is it safe to allow to embed an arbitrary external stylesheet into my web-page? -


i have dynamic web-page want other people embed web-pages, iframe (not kind of more advanced techniques javascript).

instead of providing sorts of designs , styles myself, i'm thinking allowing them provide own stylesheet page through http parameter, , embed such external stylesheet through url w/ <link type="text/css" rel="stylesheet" href… on page.

is safe? violate security paradigm of web-site? i'm aware text inserted css alone, , indeed elements removed (which whole point of me providing such functionality users), else should aware of?

could malicious people insert links onto site through such css, benefit http referer , potentially violate checks, or css insertion limited text?

in general case, no, allowing third-party css not safe. implementations allow javascript in css, means allowing users modify css allows them execute arbitrary javascript in context of page.

however, if meant sort of "white-label" page, appears part of site it's embedded in , fact it's page implementation detail, doesn't seem major concern. person specifying "third-party" css site owner, it's not third-party @ point — they're not going xss themselves!

but nobody else should ever putting css on page that's meant under control, because it's under control of whoever controlling css.


Comments

Popular posts from this blog

blackberry 10 - how to add multiple markers on the google map just by url? -

php - guestbook returning database data to flash -

delphi - Dynamic file type icon -