Is there any way to hide or otherwise make inaccessible a web pages proprietary CSS code? I know about minification but a minified css file can easily be unpacked.
Thank you for your help,
Marc
Aside from minification and perhaps base64 encoding, there is nothing you can do to mask your CSS text. And those are easily reversible.
There is no way to make it unreadable, as the browser has to be able to read it in order to display it, therefore the user can read it if they want to.
I think you are tackling the wrong problem. Your problem shouldn't be "how do I prevent users from seeing my proprietary css code" it should be "Why does my CSS code have anything proprietary in it."
It really shouldn't, and if it does you should fix that.
No. The browser needs to be able to access the CSS in order to display the page correctly.
You could unpack the elements from the CSS and apply them inline instead. Not sure if that would solve your question though.
Related
Is it possible to have a CSS virus, or what could be the closer of it? (=a non virus but something harmful for the security)
What kind of security breaches could it exploit?
Not a virus, that would not be possible. The only thing that comes to mind is this:
https://hackaday.com/2018/02/25/css-steals-your-web-data/
It abuses the fact that you can select an element based on an attribute's value.
Really clever!
Edit: There is a deprecated CSS property that was usable in IE5.5 (I think) that allowed you to define arbitrary js to be executed at run time. Someone demonstrated that you could put the entirety of jQuery in the property value and it ran. Obviously, this is not very useful today, but interesting, nonetheless. If I find this I will add it to this response.
CSS is a browser side language there for the only way you would be able to execute harmful code in it would be to re-name the file to something like .exe or .php.
You can't get a virus via css. But this is an interesting article about fetching userdata with it https://www.bleepingcomputer.com/news/security/css-code-can-be-abused-to-collect-sensitive-user-data/
The answers that you have gotten stating it is not possible, are correct,
as long as everything works the way it is supposed to.
But since, at least with respect to security, everything on the internet is broken (and most other code as well) in one way or another, it is certainly possible for CSS to be a
carrier of maleficent CSS that exploits security holes either in the CSS parser or the execution of CSS script content.
Then again, that is of course not specific to CSS, but also true for HTML/JS/images etc,
or basically any input from an unsecured source being parsed by any piece of software on your machine.
The access gained from these attack vectors can then be used to inject or
create a virus on the fly.
how can I design CSS (specially in asp.net) which user could not save that in client side? I do not want to use from flash or other embedded technology. only frame and css.
thanks.
I don't think that is possible. CSS is telling the browser how an element is supposed to look, making it so a user can't save/understand it would mean the browser wouldn't know how to read it. If you want to obfuscate the css you can check this >> tools for obfuscating html and css
You cannot really prevent the user from downloading the css. The browser needs HTML and CSS to render the page correctly to the user. So the browser actually queries for the HTML and CSS files from server and loads it.
Also you cannot obfuscate CSS files as browsers cant understand those lines.
There is no possibility, only obfuscation.
Impossible. Modern browsers will even show the cascade, rules, etc. that apply to an element in a developer console. Google Chrome for example, has this.
thanks for all answer. that was useful. but why we can not save complete gmail.com or mail.yahoo.com?
I think they use flash or silver or ....
I have a massive CSS file that is applied to several pages. I'm hoping to break it down to a common CSS file and several page-level CSS files, since it is becoming difficult to work with. Unfortunately, it's not easy to tell what exactly is common. I was hoping there was a way to quickly see what lines/selectors were being used on a given page. Does anyone know of a tool that can do this? I don't want to use developer tools and go through the DOM elements one by one. I'd like to look at the CSS file and see unused selectors grayed out or something. Thanks!
You can use, at least in Chrome, the Audits tab in the developer tools. Once you run it, it says you which styles aren't used in the current page.
Testing it on this site:
And for Firefox there an add-on called CSS Usage – might be worth a look too.
Is there anything tricky someone could do with user-uploaded CSS to harm a site? If I wanted to allow users to upload/share their own CSS themes to a site, is there anything I should look for or disallow?
EDIT: Assume I know how to check if it's a valid CSS file etc. I'm looking for CSS specific exploits I need to avoid.
I believe standard CSS, parsed in a standard way is safe. However, through various non-standard extensions CSS is unsafe.
It's not just CSS that is unsafe, due to the fact that some browsers ignore RFC 2616 and sniff the content type instead of respecting the Content-Type header, it is possible to trick some browsers into embedding JavaScript hidden within static image files.
Even if you work around these particular issues, there's nothing stopping browser vendors from screwing you over in other ways without you realising.
As a general rule, I would not allow untrusted users to upload files unless I gave each user their own subdomain and ensured that any cookies on the main site were limited to the www host. This makes it look to the browser that each user has their own separate site with their own separate security context, so even if they manage to execute code, it doesn't compromise anything.
Even if you parse the file for valid CSS a hacker could still be malicious by using something like :before and :after. To ensure security you will want to whitelist a subset of css properties & selectors in your validation.
They can include an .htc file which is essentially Javascript. Actually, it doesn't even need to be in .htc file, you can write Javascript in CSS using expression(). And also (although this is given), they can mess with your site by hiding/showing stuff inappropriately.
You primarily need to be careful on what is being uploaded. If you do some kind of sanity check, that it is valid CSS, you should be fine, but if you just allow any old file to be uploaded, someone could sneak in some java script or other malicious code.
The actual type is not harmful, but the whole upload concept is the problem as it allows attackers to deliver a payload you wouldn't expect.
But I would say as long as you check off your security checklist and validate your content to be at least some css, you should be fine.
What is the easiest way to do it?
I have difficulties to understand and not having now enough time to spend and study Greasemonkey properly, to just apply a PERMANENT css change to ANY website.
I thought that was more easy, to just add a CSS that would stay with the browser. But I do not find any easy/quick tool customization to just add a simple .css file to do my changes.
For example I would like to restyle Twitter, because I hate the new design, It is killing any kind of graphic personalization that I would like to have.
I need it simple, because I want to let people with not high tech knowledge, to be able to get my personalization, implement it and do it as well.
I know that this could have a security issue, but all that I want to do it is add a piece of CSS, and not additional Javascript functionality.
EDIT: Possibly that could work in all the browsers, not only Chrome and Firefox (I know that might not exist, but I would like to have an alternative for people that use IE)
I am an expert web designer, but I am not a programmer. Outside Javascript I do not script anything else.
Install Stylish. Make custom CSS file. Winning.
You're looking for the Stylish extension.
You can add a user stylesheet in several major browsers that will override the site stylesheet. It will require a good working knowledge of CSS though and for firefox you have to create the file manually in your profile.
http://www.squarefree.com/userstyles/user-style-sheets.html