10

I have a dynamic web-page which I want other people to embed into their web-pages, with an iframe (not necessarily with any kind of more advanced techniques like JavaScript).

Instead of providing all sorts of designs and styles myself, I'm thinking about allowing them to provide their own stylesheet for my page through an HTTP GET parameter, and embed such external stylesheet through a URL w/ <link type="text/css" rel="stylesheet" href… on my page.

Is this safe? Will it violate the security paradigm of my web-site? I'm aware that extra text could be inserted with CSS alone, and indeed elements could be removed (which is the whole point of me providing such functionality for my users), but anything else I should be aware of?

Could malicious people insert links onto my site through such a CSS, to benefit from my http referer and potentially violate some checks, or is CSS insertion limited to text?

cnst
  • 25,870
  • 6
  • 90
  • 122
  • Importing something (whatever) from an external resource could ever be a security risk. But to answer your "links" quesion: no. They could hide elements, add text and so on, but it's not possible to create a link with css (or at least it should be prevented by the browser because it's cross site srcipting). – Linus Caldwell May 21 '13 at 17:36
  • 3
    See [Cross-Site Scripting in CSS Style Sheets](http://stackoverflow.com/q/3607894/102937) – Robert Harvey May 21 '13 at 17:38
  • This is not a duplicate of http://stackoverflow.com/questions/13876961/how-do-i-ensure-user-input-is-css-and-not-malicious-code, I don't have any text-input on my site. I want to only allow referencing an external stylesheet, not store any user input on my own domain. – cnst May 21 '13 at 17:42
  • But you're linking a CSS containing text, correct? And that CSS could contain malicious content, correct? It doesn't really matter whether the CSS comes from a textbox or linked sheet... the principles of protection should be identical. – Robert Harvey May 21 '13 at 17:45
  • @RobertHarvey, I have no clue what the linked file will contain. The problem is different -- my problem is letting other web-site owners embed my content the way they see fit (non-same-origin CSS), those other questions you've found are about letting end-users customise the site (CSS hosted on same-origin domain). Some answers might be related/helpful, but the questions and the domains of the problem are entirely different. – cnst May 21 '13 at 17:49

2 Answers2

5

In the general case, no, allowing third-party CSS is not safe. Some implementations allow JavaScript in CSS, which means that allowing users to modify your CSS allows them to execute arbitrary JavaScript in the context of your page.

However, if this is meant to be sort of a "white-label" page, where it appears to be part of the site it's embedded in and the fact that it's really your page is just an implementation detail, this doesn't seem like a major concern. The person specifying the "third-party" CSS is the site owner, so it's not really third-party at that point — they're not going to XSS themselves!

But nobody else should ever be putting CSS on a page that's meant to be under your control, because it's really under the control of whoever is controlling the CSS.

Chuck
  • 234,037
  • 30
  • 302
  • 389
  • That's my take as well. Sure, the site owner might insert malicious content, but why would they? – Robert Harvey May 21 '13 at 18:16
  • Well, see, the site is intended to be used by both the end-users (mostly without any external CSS, but potentially with some cookies) and web-developers (with external CSS), and I don't want to make matters too complicated by using two distinct domains for each group. So, which context will JavaScript in CSS be executed in? Would it be able to, (a), add links, such that my page shows as Referer, and, (b), read, change or set cookies from my domain, or other likewise stuff? – cnst May 21 '13 at 18:48
  • @cnst: That depends on the implementation. There are various features in different agents that could lead to script execution, and I don't know the specifics of most of them. The safest assumption would be "It's equivalent to letting people put an arbitrary SCRIPT tag on your page." – Chuck May 21 '13 at 21:34
  • @Chuck, it's not equivalent to letting people put an arbitrary `script` on your page -- the difference is that with arbitrary CSS, from a third-party domain, it's holes in buggy and old versions of browsers that are to blame for any possible exploits. So, in all of this, pretty much only MSIE is affected? My site is developer-oriented, so, I'm thinking that people who run MSIE are screwed anyways, so, perhaps it would, in fact, make sense to disregard them from this potential exploit (since if it's not this one, there's surely another one anyways). – cnst May 22 '13 at 23:05
  • sigh. I guess I might have to test it myself whether those mentioned features are executed with the origin of my domain (e.g. can read/write cookies); and then if they are, and if only MSIE and old versions of Gecko are affected, then perhaps do browser sniffing, and instead of embedding a provided stylesheet, embed nothing or embed some kind of generic stylesheet that would most likely fit into other designs. So far, I found that old Gecko is probably indeed vulnerable: http://www.securiteam.com/securitynews/5LP051FHPE.html http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0496 – cnst May 22 '13 at 23:26
0

CSS cannot insert linkable content. It can only style, position and hide what's already there. Sure, people can mess up your page with :before and :after text an perhaps make things look a little confusing or change labels on existing links, but not the URLs themselves.

Diodeus - James MacFarlane
  • 112,730
  • 33
  • 157
  • 176
  • Not completely true. Unfortunately some browsers decided that it’d be a great idea to allow some JavaScript calls from CSS. (I’m looking at you IE 7+8, Opera and Firefox!) – Simon East Aug 28 '18 at 12:34