Protecting Browsers From Cross-Origin CSS Attacks

Date Added: Oct 2010
Format: PDF

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. The authors show how to conduct these attacks with any browser, even if JavaScript is disabled, and propose a client-side defense with little or no impact on the vast majority of web sites. They have implemented and deployed defenses in Firefox, Google Chrome, and Safari. Their defense proposal has also been adopted by Opera.