I already keep SVG disabled for security reasons, but it's increasingly looking like I'll have to find some way to disable CSS too. It's too bad people couldn't leave CSS alone as a nice simple (sort of) way to format text because turning it into another programing langue is begging for it to be abused by hackers and other malicious actors (like advertisers) just like JS
paulpauper 1 hours ago [-]
nah, that is overkill. the probability of falling for this is still tiny and it cannot break the sandbox, steal session cookies, or anything like that .
paulpauper 1 hours ago [-]
A long time ago there was a facebook clickjacking method that could make someone inadvertently share a link or like a page. The former required clicking a combination of colored buttons and was quite clever. This was in 2010. But it could not do more, like steal sessions.
scoofy 1 hours ago [-]
As someone who runs a site that uses inline SVG, this is unfortunate. Hopefully it won't be a problem for me.
pixl97 1 hours ago [-]
Maybe I'm missing something, but it looks like it requires an iframe attack or an XSS to work correctly, both of which have page/server settings that can be used to avoid them.
spartanatreyu 3 minutes ago [-]
It's easy to prevent clickjacking attacks by not allowing your website to be embedded in an iframe.
You can do that by either adding a header to your network requests, or by adding the following meta tag to your page:
You can do that by either adding a header to your network requests, or by adding the following meta tag to your page:
<meta http-equiv="X-Frame-Options" content="DENY">