Third party CSS is not safe

Direct Link →

...because third-party anything really isn't safe. Jake Archibald:

If you're worried about users tricking your site into loading third party resources, you can use CSP as a safety net, to limit where images, scripts and styles can be fetched from.

We've long discussed security considerations for using and managing third-party scripts, but the topic of security in third-party CSS was recently broached in response to a "trick" that employs keylogging via CSS.

Jake's post is a worthy read because it takes a high-level look at all third-party assets and the risks they pose.