FireBrick Custom CSS: Difference between revisions

Line 85:

== Security implications ==

Pointing your Firebrick to ~~CSS~~ that is stored in a website on the public Internet might, in theory at least, have security implications. Certainly review security of that site in general, who might have access to the site's content, ~~any~~ FTP passwords, 'locking' features on FTP. Also consider attacks on the DNS to redirect requests to a bogus site. Man-in-the-middle attacks and ARP / ND attacks could achieve redirection at a lower level, however this is a much more general problem. Consider using TLS / SSL ~~(i.e.~~ a <code>https:</code> ~~CSS~~ URL) to prevent these possibilities.

Pointing your Firebrick to a .css file that is stored in a website on the public Internet might, in theory at least, have security implications. Certainly review security of that site in general, who might have access to the site's content, FTP passwords, 'locking' features on FTP. Also consider attacks on the DNS to redirect requests to a bogus site. Man-in-the-middle attacks and ARP / ND attacks could achieve redirection at a lower level, however this is a much more general problem. Consider using TLS / SSL and use an <code>https:</code> URL to reference your .css file in order to prevent these possibilities, or use the <code>data:</code> URI scheme technique described below.

The extent of the potential outcomes that an attacker could achieve by succeeding in pulling in an evil .css file is an open question. Some versions of Microsoft Internet Explorer for Windows could cause code to be executed when ''triggered from within a mere .css file'' by the use of the powerful non standard <span lang="en-US"><code>behavior:</code></lang> and <code>expression()</code> CSS features. See MSDN articles on [https://msdn.microsoft.com/en-us/library/ms530723(v=vs.85).aspx CSS 'behavior:'] and [https://blogs.msdn.microsoft.com/ie/2008/10/16/ending-expressions/ CSS 'expression()'].

== Internal inline CSS - using data URIs ==