Re: Allowing 3rd party CSS sheets loading in my content?

[Saqib Ali <docbook.xml () gmail com>]

Hello,

I provide a similar service at http://validate.sf.net . See the
following URL for samples:

http://www.xml-dev.com/blog/?action=viewtopic&id=88

However I use Apache Cocoon to convert XML to HTML/PDF . The
conversion takes place on the server, instead of the client applying
the CSS. This way I minimize the chances of the XSS attacks.


On 13 Oct 2005 12:25:51 -0000, JoJimJoe () netscape net
<JoJimJoe () netscape net> wrote:
> Hi,
>
> I have a php script that allows those who use my site, to render some of my xml content as html on their own site.
>
> I'm getting a lot requests to allow them to pass a parameter so they can load a style sheet, to give it their own look
>
> essentially:
> script.php?style=http://theirsite.com/style.css
> which i'd put into
> <link href="http://theirsite.com/style.css"; etc >
>
> I'm concerned this is a security risk, that they can do more than just modify the look of the page, like some type of 
> XSS attack.
>
> This is all part of a link exchange, and it's important they not be able to do anything with cookies on my domain, or 
> make anything appear to be done under my domain by something tricky...
>
> thanks for your feedback
> Jim


--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.