>normalize_css: yes or no - should normalize.css be loaded before any CSS declarations?
I'm guessing it's an external CSS file, probably to enforce consistency between browsers. Haven't looked at it, though - just assuming. "normalize" is nowhere else in the documentation, oddly enough.
My reading is that it's not necessarily phishing because they wouldn't need to ask the user for any information. All that would be required is for the user to be signed into the targeted webapp.
It could be totally automated. But, since the attacker doesn't get the response, they couldn't necessarily do anything with that. That doesn't make this any less dangerous, as in the bank example, you don't necessarily need to see that your transfer was successful in order to get the money.
is all that you need to execute this attack in your browser. An attacker can hide the applet via CSS and put it on a legitimate looking page. All the target needs to do is be logged in.
If you want to be super evil about it you could also embed the evil POSTing code in a swf that looks like an unevil ad and then let an unsuspecting ad network distribute it for you.
Correct. Put it up using Google Adwords or a similar network, make sure attacker.com has a proper crossdomain.xml file (because the SWF won't be served from attacker.com), and you have a working exploit that can be deployed all over the Internet.
It means that Netscape ignored the idea of separating markup from style, probably setting back the progress of the web by some years. This seems to imply that Andreessen's vision of the web was not very ambitious at the time - mixing FONT and CENTER tags is convenient for small-scale publishing by individuals handcoding one-off HTML, but is unwieldy for larger scale ideas.
Isn't that what the concat() method is for?