Third party CSS is not safe

Avatar of Chris Coyier
Chris Coyier on

UGURUS offers elite coaching and mentorship for agency owners looking to grow. Start with the free Agency Accelerator today.

…because third-party anything really isn’t safe. Jake Archibald:

If you’re worried about users tricking your site into loading third party resources, you can use CSP as a safety net, to limit where images, scripts and styles can be fetched from.

We’ve long discussed security considerations for using and managing third-party scripts, but the topic of security in third-party CSS was recently broached in response to a “trick” that employs keylogging via CSS.

Jake’s post is a worthy read because it takes a high-level look at all third-party assets and the risks they pose.

Direct Link →