Pete Freitag Pete Freitag

Cross Domain Data Theft using CSS

Published on July 21, 2010
By Pete Freitag

FireFox (3.6.7) released today fixed an interesting security vulnerability called Cross Domain Data Theft using CSS discovered by Google security researcher Chris Evans.

It works kind of like JSON Hijacking, but uses a cross domain <link /> tag instead of a cross domain <script /> call to the attacker site.

Here's how it works:

  1. Post a comment on the victim site that looks like this: {}body{background-image:url(' - it can be anywhere on the page, doesn't need to be in a style tag or attribute.
  2. Get the attacker to visit your site which contains a link tag like this: <link rel="stylesheet" href="">
  3. The attacker site also includes some javascript calling window.getComputedStyle(...) this can be used to steal the content of the page at
  4. The {} in the CSS resets the CSS parser because up to that point it is very confused (since it's trying to parse the HTML of the page as CSS).

To fix this issue Firefox (and WebKit) now reject loading CSS files that meet these conditions:

  1. CSS File is from another domain
  2. Content type is not text/css
  3. Page does not start with valid CSS syntax

You can find a lot of the interesting details here in this Firefox Bug Report.

security firefox css javascript

Cross Domain Data Theft using CSS was first published on July 21, 2010.

If you like reading about security, firefox, css, or javascript then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).