Protecting Browsers From Cross-Origin CSS Attacks

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. The authors show how to conduct these attacks with any browser, even if JavaScript is disabled, and propose a client-side defense with little or no impact on the vast majority of web sites. They have implemented and deployed defenses in Firefox, Google Chrome, and Safari. Their defense proposal has also been adopted by Opera.

Provided by: Association for Computing Machinery Topic: Security Date Added: Oct 2010 Format: PDF

Find By Topic