Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick Custom CSS: Difference between revisions

FireBrick Custom CSS (view source)

Revision as of 09:00, 6 August 2017

718 bytes added ,  6 August 2017
m
→‎Security implications: links added
== Security implications ==
 
Pointing your Firebrick to CSSa .css file that is stored in a website on the public Internet might, in theory at least, have security implications. Certainly review security of that site in general, who might have access to the site's content, any FTP passwords, 'locking' features on FTP. Also consider attacks on the DNS to redirect requests to a bogus site. Man-in-the-middle attacks and ARP &nbsp;/ ND attacks could achieve redirection at a lower level, however this is a much more general problem. Consider using TLS &nbsp;/ SSL (i.e.and ause an <code>https:</code> CSS URL) to reference your .css file in order to prevent these possibilities, or use the <code>data:</code> URI scheme technique described below.
 
The extent of the potential outcomes that an attacker could achieve by succeeding in pulling in an evil .css file is an open question. Some versions of Microsoft Internet Explorer for Windows could cause code to be executed when ''triggered from within a mere .css file'' by the use of the powerful non standard <span lang="en-US"><code>behavior:</code></lang> and <code>expression()</code> CSS features. See MSDN articles on [https://msdn.microsoft.com/en-us/library/ms530723(v=vs.85).aspx CSS 'behavior:'] and [https://blogs.msdn.microsoft.com/ie/2008/10/16/ending-expressions/ CSS 'expression()'].
 
== Internal inline CSS - using data URIs ==
CecilWard
252

edits

Retrieved from ‘http://support.aa.net.uk/Special:MobileDiff/12529