Robbat2 (robbat2) wrote in lj_dev,
Robbat2
robbat2
lj_dev

CSS Complaint #2 - Dynamic Styles broken by CSS-Cleaner

As per my previous post, I mentioned that I my custom S1 style uses a 7 dynamic stylesheets. In that post however, I didn't elaborate on how they were dynamic. The dynamic-ness I use serves two purposes - firstly serving different content based on your User-Agent, and secondly providing multiple cosmetic options.

The per-User-Agent part is reasonably simple, it just mainly hands out slightly different table styling so that my page looks as good as possible on every browser from Netscape4 on IRIX right thru the experimental IE7, and a lot of strange stops in-between. In a few cases, it sends different Content-Types, and other headers as well, for dealing with brokeness.

The cosmetic change part is actually what irks me more, I have functionality that allows multiple colorschemes based on a small optional cookie that says what colour scheme you like. The publically available choices are here: http://www.orbis-terrarum.net/?l=prefs (try it, and then browse my website) (For those interested in playing, a further re-use of the style engine is here: http://hotmodels.orbis-terrarum.net/?l=prefs). My S1 style is an extension of the same styling that I used for my website, and the customizable colour scheme integration is an integral part of this.

The User-Agent part isn't too hard to do with CSS-Cleaner, it just needs to send the User-Agent from the client, and keep seperate caches per User-Agent. The style part however is not solvable with CSS-Cleaner at all. The cookie is not sent by the browser to the modified URL, because the base URL domain is outside the cookie domain, and the browser rightly doesn't want to expose the cookie.

I've got one potential suggestion as to how to work around this - namely to naively use CSS-Cleaner to check, but still send the raw stylesheet URL to the browser if it checks out cleanly, but it has a major hole of a potential attacker sending 'safe' content to the cleaner and an exploit to anybody else.

Can anybody else offer other suggestions?

Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 8 comments