All geek questions in one place

Is it safe to allow embedding an arbitrary external stylesheet in my web page?

I have a dynamic webpage that I want other people to embed their webpages with iframe (not necessarily using any more advanced methods like JavaScript).

Instead of creating all kinds of designs and styles myself, I am thinking about providing them with my own stylesheet for my page using the HTTP GET parameter and embedding such an external stylesheet through the URL w / <link type="text/css" rel="stylesheet" href & hellip; on my page.

It is safe? Will this violate the security paradigm of my website? I know that additional text can only be inserted using CSS, and indeed, elements can be removed (which is the goal for me to provide such functions to my users), but is there anything else I should know about?

Can malicious people embed links to my site using such CSS in order to benefit from my HTTP referral and potentially break some checks, or is CSS embedding limited to text?

+6
source share
2 answers

Generally not, allowing third-party CSS is unsafe . Some implementations allow you to use JavaScript in CSS, which means that allows users to modify your CSS, allowing them to execute arbitrary JavaScript in the context of your page.

However, if this is meant as the โ€œwhite labelโ€ of the page, where it appears to be part of the site into which it is embedded, and the fact that your page is really just an implementation detail, this seems like a serious problem. The person who defines the "third-party" CSS is the owner of the site, so at the moment he is not a third-party supporter - they themselves will not go to XSS!

But no one else should put CSS on the page, which should be under your control, because it really is under the control of who controls the CSS.

+3
source

CSS cannot embed related content. He can only stylize, place and hide what is already there. Of course, people can ruin your page with the text :before and :after , maybe make things a bit confusing or change the labels for existing links, but not the URLs themselves.

0
source

Source: https://habr.com/ru/post/945512/

More articles:


All Articles