Cross Domain Data Theft using CSS

FireFox (3.6.7) released today fixed an interesting security vulnerability called Cross Domain Data Theft using CSS discovered by Google security researcher Chris Evans.

It works kind of like JSON Hijacking, but uses a cross domain <link /> tag instead of a cross domain <script /> call to the attacker site.

Here's how it works:

1. Post a comment on the victim site that looks like this: {}body{background-image:url('http://google.com/ - it can be anywhere on the page, doesn't need to be in a style tag or attribute.
2. Get the attacker to visit your site which contains a link tag like this: <link rel="stylesheet" href="http://victimsite.example.com/page/with/above/css">
3. The attacker site also includes some javascript calling window.getComputedStyle(...) this can be used to steal the content of the page at victimsite.example.com

The {} in the CSS resets the CSS parser because up to that point it is very confused (since it's trying to parse the HTML of the page as CSS).

To fix this issue Firefox (and WebKit) now reject loading CSS files that meet these conditions:

1. CSS File is from another domain
2. Content type is not text/css
3. Page does not start with valid CSS syntax

You can find a lot of the interesting details here in this Firefox Bug Report.