Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday February 28 2018, @06:07PM   Printer-friendly
from the just-use-lynx-and-elm dept.

Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.

A few days ago there was a lot of chatter about a 'keylogger' built in CSS.

Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.

While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.

Source : Third party CSS is not safe


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by RamiK on Wednesday February 28 2018, @07:49PM (2 children)

    by RamiK (1813) on Wednesday February 28 2018, @07:49PM (#645344)

    Simplest way to set it to first party only is to go into the config screen...

    Just install uMatrix+uBlock instead of NoScript+AdAway and get the same feature-set but with a UI that lets you allow/disallow CSS per-domain or even sub-domain with four clicks of the button.

    --
    compiling...
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Wednesday February 28 2018, @10:14PM (1 child)

    by Anonymous Coward on Wednesday February 28 2018, @10:14PM (#645438)

    NoScript protects far more than just JavaScript. Sadly you still need all three. All have unique features.

    • (Score: 2) by RamiK on Wednesday February 28 2018, @11:18PM

      by RamiK (1813) on Wednesday February 28 2018, @11:18PM (#645479)

      NoScript protects far more than just JavaScript.

      The clickjacking protection is covered by the CSS blocking while the XSS and anti-tracking protection is covered by the XHR.

      The additional functionality NoScript also packages is extra scripts that circumvent specific ad-walls. But not only those scripts are fragile and break every other day (literally as ad-wall operators are actively combating NoScript and AdAway), when they break they live your client running all the scripts, displaying the ads, and letting viruses through.

      Other than that, citation needed.

      --
      compiling...