GET request to: "auth/"
Stylesheet imports in question:
< link href="resources/4mjgh/common/keycloak/node_modules/patternfly/dist/css/patternfly.css" rel="stylesheet">
< link href="resources/4mjgh/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.css" rel="stylesheet">
< link href="resources/4mjgh/welcome/keycloak/css/welcome.css" rel="stylesheet">
Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to path-
relative stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.
cross-site scripting (XSS) and exfiltration of CSRF tokens.
It is recommended to remove relative URLs and use absolute URLs in CSS imports.
The following alternatives can be applied to avoid PRSSI vulnerabilities.
- Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
- Set response header X-Frame-Options: deny
- Set response header X-Content-Type-Options: nosniff
- Define an HTML base tag to specify base URL for all relative URLs in a document.