Not so fast! Just because the CSS is only served to the authenticated account which installed it doesn't necessarily mean things are 100% okay.
There could be cross-site scripting attacks whereby the user clicks on something evil in a malicious site which attacks that user's HN authenticated session by installing some malicious CSS in their profile. The UI could require a confirmation of the account password for updating any security-sensitive properties.
Users could also shoot themselves in the foot with bad CSS. The obvious fix for that is that the profile settings page itself doesn't inject the CSS, or there is a safe variant of its URL which doesn't inject CSS.
I would really like to see this: maybe release a "submit CSS blob" feature first and then, in a couple months, have a competition to pick the best style sheet?
Not so fast! Just because the CSS is only served to the authenticated account which installed it doesn't necessarily mean things are 100% okay.
There could be cross-site scripting attacks whereby the user clicks on something evil in a malicious site which attacks that user's HN authenticated session by installing some malicious CSS in their profile. The UI could require a confirmation of the account password for updating any security-sensitive properties.
Users could also shoot themselves in the foot with bad CSS. The obvious fix for that is that the profile settings page itself doesn't inject the CSS, or there is a safe variant of its URL which doesn't inject CSS.
Two great points. Thanks.
I would really like to see this: maybe release a "submit CSS blob" feature first and then, in a couple months, have a competition to pick the best style sheet?