Reputation: 27228
Is it safe to allow to embed an arbitrary external stylesheet into my web-page?
I have a dynamic web-page which I want other people to embed into their web-pages, with an iframe (not necessarily with any kind of more advanced techniques like JavaScript).
Instead of providing all sorts of designs and styles myself, I'm thinking about allowing them to provide their own stylesheet for my page through an HTTP GET parameter, and embed such external stylesheet through a URL w/ <link type="text/css" rel="stylesheet" href… on my page.
Is this safe? Will it violate the security paradigm of my web-site? I'm aware that extra text could be inserted with CSS alone, and indeed elements could be removed (which is the whole point of me providing such functionality for my users), but anything else I should be aware of?
Could malicious people insert links onto my site through such a CSS, to benefit from my http referer and potentially violate some checks, or is CSS insertion limited to text?
Upvotes: 10
Views: 1474
Answers (2)
Reputation: 237080
In the general case, no, allowing third-party CSS is not safe. Some implementations allow JavaScript in CSS, which means that allowing users to modify your CSS allows them to execute arbitrary JavaScript in the context of your page.
However, if this is meant to be sort of a "white-label" page, where it appears to be part of the site it's embedded in and the fact that it's really your page is just an implementation detail, this doesn't seem like a major concern. The person specifying the "third-party" CSS is the site owner, so it's not really third-party at that point — they're not going to XSS themselves!
But nobody else should ever be putting CSS on a page that's meant to be under your control, because it's really under the control of whoever is controlling the CSS.
Upvotes: 5
Reputation: 114417
CSS cannot insert linkable content. It can only style, position and hide what's already there. Sure, people can mess up your page with :before and :after text an perhaps make things look a little confusing or change labels on existing links, but not the URLs themselves.
Upvotes: 0
Related Questions
- Adding external CSS in an HTML file
- Using external .css for html styling
- Is there any danger in loading external, third-party CSS?
- Linking an External Stylesheet (HTML)
- Div with external stylesheet?
- insert external css file in to a regular html sheet
- Is it possible to reference external stylesheets in the html body?
- Using external style sheets when website is being hosted
- Is including an external CSS file safe, or could it lead to code injection?
- Linking an external CSS stylesheet to HTML