Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.
A few days ago there was a lot of chatter about a 'keylogger' built in CSS.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.
Source : Third party CSS is not safe
(Score: 2) by Freeman on Wednesday February 28 2018, @09:47PM (1 child)
Third-party content is inherently unsafe, because you're not in control of the content. Though, pretty much the *Internet* is unsafe and should be treated like it has Ebola when interacting with it. That being said, I was a little curious as to how someone made a keylogger using CSS. To which the answer is, they didn't. They just passed the React keylogger in using CSS. Bottom line, if it's not hosted on your site, you can't rely on it.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by requerdanos on Thursday March 01 2018, @12:30AM
It does in fact have Ebola [wikipedia.org]. It has all the hemorrhagic fevers.