Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there any danger in loading external, third-party CSS?

Tags:

javascript

css

security

My goal is to allow partners to style their landing pages with their own look and feel by passing us a link to their stylesheet in a URL parameter. Are there security or browser compatibility concerns with loading third-party CSS via JavaScript?

like image 306
jarbot Avatar asked Jun 21 '11 21:06

jarbot

People also ask

What is third party CSS?

Using the attribute selector, a 3rd party CSS can style the element differently based on different attribute value. One, for example, could load a different background image for different attribute value. By knowing which background image is loaded, one could then know the value of the attribute.

What is a 3rd party script?

A 3rd party script is a JavaScript resource loaded into a webpage to provide functionality beyond the core functionality of the website. Added content: A third-party JavaScript refers to a script that is able to become embedded by a third-party vendor directly into any website.

Which of the below guidelines should be followed while using any third party JavaScript libraries in the Web applications?

In general, you should always use async or defer for third party scripts (unless the script does something necessary for the critical rendering path): Use async if it's important to have the script run earlier in the loading process. This might include some analytics scripts, for example.

1 Answers

In CSS Files.

expressions(code), behavior:url(), url(javascript:code), and -moz-binding:url() all have potential security issues.

Behavior can't be cross domain so that removes some threat, but generally speaking you do need to sanitize it somehow.

If you allow the user to link to CSS on external servers, there isn't a fullproof way to validate. The server could check the CSS file on the server to ensure there is nothing malicious, but what if the user changes the stylesheet? You would have to continuously check the stylesheet. Also the server could potential feed different info to the servers ip address in attempt to bypass the validation method.

In all honesty I would advise storing the CSS on your own server. Simple run it throw a regex parser that removes the possible malicious code from above.

like image 149
Lime Avatar answered Nov 15 '22 19:11

Lime
Sign in to Comment

Related questions

Issue with Setting Up Webpack and Babel
What is better, One javascript framework, or multiple frameworks
How to assign unique DOM element ID
IE8 Javascript doesnt run unless Developer Tools is open?
Merge/Join 2 jQuery sets
jQuery Validation Plugin: Invoke errorPlacement function when onfocusout, keyup and click
What is the JavaScript variable scope in a switch / case statement?
Change table row display property
Is block style really this important? [duplicate]
javascript correctly rounding up to two decimals, impossible?
Is there a JavaScript or jQuery equivalent to Python's "sum" built-in function?
How can I add an array to an array of arrays using jQuery?
Javascript setTimeout function call with event argument?
What harm can javascript do?
changing margin value using jQuery
Preview Image without Upload to my server
HTML5 App Anti-Piracy techniques? [closed]
Google Map .InfoWindow Set Height and Width
How to structure nodejs code properly
get the tag name of object returned by getElementsByName

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!