What security risks does CSS 3 create ? (also, SVG)

[Mr. Hankey]

Hi,

Over the years CSS has evolved a lot. CSS 3 now does plenty of things including some minor calculations and animations.

I wonder, what security risk does CSS now represent ? SVG for instance can potentially be abused. Can the new CSS add to the general scriptless attack surface too ? If so, anything NoScript can do now or in a future version ?

Secondly, why doesn't NoScript have an option to add a placeholder to SVG images ? Was it conscious decision, in which case I am curious to hear the reasoning behind it, or has it just been overlooked ?

Thanks

[Mr. Hankey]

I guess this was too broad a question, so let's narrow it a bit.

- Have you heard of scriptless CSS attacks recently ?
- If so, how would you think someone should protect himself ?
- Does or can NoScript do anything to improve CSS security if there is a need to ?

I suppose clickjacking can be done without JS and rely on CSS and IFrames alone. Anything else ? I was thinking more along the lines of actual CSS security exploits instead of tricks like clickjacking, but any info is fine.

[Thrawn]

Well, I know css can chew up a lot of cpu by constantly recalculating values every time you move the mouse. But otherwise I wouldn't expect many direct attacks. And Noscript does prevent clickjacking and tabnapping, as you probably know.