Per-server custom CSS/HTML(/JS?) additions

[IoIxD]

In addition to custom URLs, servers should be able to be able to add custom CSS to their listings. Optionally, it would be nice if they could inject HTML before certain elements, although this would be hard to implement and might not make it.

and the ability to add custom JS wouldn't hurt, but theres a lot that goes against the idea. In particular, it would be nice to ensure every page on the site loads in a timely manner. We would also open the gates to free hosting for aggressive popup/"alert spam" scams which could hurt our ranking on Google, since these would also be usable on the dfs.ioi-xd.net url.

[hikari-no-yume]

The most annoying thing about implementing custom CSS this would be the security issues with it. Old versions of IE let you embed JS in CSS for example, so traditionally you would have to sanitise it. Maybe these days a Content Security Policy header banning JS etc would suffice?

[IoIxD]

I've never heard of this, could you give me an example or source for this?

[hikari-no-yume]

There's an explanation on MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Basically it's a simple HTTP header the server can set if it wants the browser to enforce certain security restrictions. It can do things like forbid inline JS, which makes XSS very hard: even if you can get a <script> tag, it won't do anything.

[IoIxD]

Should've specified, I meant IE allowing JS in CSS. I can't find a source for this and I've never heard of this being a thing.

[hikari-no-yume]

Ah I see! It's thankfully a dead and buried feature these days, so it's now surprisingly hard to find info about it on Google, but I managed to fish this up: http://web.archive.org/web/20100406163427/http://msdn.microsoft.com/en-us/library/ms537634(VS.85).aspx

[samhza]

too dangerous

[IoIxD]

I only just saw this now but I disagree for CSS.

Without even getting into specifics: Reddit allowed custom CSS for 12 years. For a significant portion of its history you could apply custom CSS onto pages on one of the largest sites on the internet. I am doubtful that we can't do this without easily maintaing good security. It's also worth mentioning tha Reddit didn't support full CSS: there were certain properties that were disabled. we can do the same.

That said, I did some research and found some "CSS security issues":

• "keylogging" - this takes advantage of the input field. the user needs to type into one for anyting to be done. we don't have any of those.
• CSS expressions - these aren't supported in any browser made in the past ten years, but regardless this is something we can disable.
• html/url scraping - there's nothing on the html TO scrape, no sensitive data or anything. everything is shown to the user, nothing is hidden. same goes for the url.

of course all of this is invalidated if we let the user host their own CSS stylesheets or link to them. I don't see a valid reason to do this anyways, we can disable it.

i can see how html/js would be problematic. I don't even know why i mentioned js i na question mark that's a horrible fucking idea what did i mean "it wouldn't hurt" of course it would hurt! god no! and custom html is pointless anyways.