Secure CSS For ADNs

This rewrite rule allows CSS requests to run through css.php, which can substitute color attritubes on the fly to allow a single application to be supported by multiple skins, and have greater immunity to cross-site scripting attacks.


RewriteEngine On
RewriteRule ^(.*)\.css$ css.php?d=$1

Key considerations:

  • sed may be the best substitution strategy, instead of PHP, because it is probably faster, and little to no development would be required
  • Caching should be done carefully to ensure the files are not recreated unnecessarily, and files that don’t exist should be created. If the source .css file has changed, the recolored one must be updated.
  • One may use the REQUEST_URI to select the .css files
  • Backend management of the .css file identifiers will be required if they are dynamic. This implies the ability of a user to be able to select colors and store the scheme. If they are fixed, it is simpler.
  • This is not really intended for individual user customization and user experience, but to allow a single installation of an application to support multiple skins. With that in mind, it is assumed there would be a fixed set of .css files, with a default used in the event of an invalid file request, and the .css files would be managed manually by the design/engineering team.