CVE-2010-0651 in Chrome
Summary
by MITRE
WebKit before r52784, as used in Google Chrome before 4.0.249.78 and Apple Safari before 4.0.5, permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote attackers to obtain sensitive information via a crafted document.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2026
The vulnerability described in CVE-2010-0651 represents a critical security flaw in WebKit-based browsers that affected major web browsers including Google Chrome and Apple Safari. This issue stems from improper handling of cross-origin resource loading mechanisms within the browser's rendering engine, specifically concerning CSS stylesheet downloads. The vulnerability exists in WebKit versions prior to r52784 and impacts Chrome versions before 4.0.249.78 and Safari versions before 4.0.5, demonstrating the widespread nature of this security weakness across major browser implementations.
The technical flaw in this vulnerability lies in the browser's Content Security Policy enforcement mechanism for cross-origin CSS loading. Normally, browsers should verify that resources loaded from different origins comply with strict security policies, including proper MIME type validation and document integrity checks. However, this vulnerability allows malicious actors to bypass these security controls by exploiting a weakness in how the browser handles malformed CSS documents. The flaw specifically occurs when a stylesheet download has an incorrect MIME type, yet the browser still processes the content and allows cross-origin loading to proceed, creating a security boundary violation.
The operational impact of this vulnerability is significant and directly relates to information disclosure risks. Attackers can craft malicious web documents that exploit this weakness to obtain sensitive information from other origins that would normally be protected by the browser's security model. This cross-origin information leakage could potentially expose user data, session tokens, or other sensitive resources that should be restricted by the same-origin policy. The vulnerability essentially undermines the fundamental security principle that prevents unauthorized access to resources from different domains, creating a pathway for attackers to gather information that should remain isolated.
This vulnerability aligns with CWE-200, which addresses "Information Exposure," and specifically relates to improper access control mechanisms in web browsers. The issue also connects to ATT&CK technique T1566, which covers "Phishing with Malicious Content," as attackers could leverage this weakness to craft more sophisticated phishing attacks that can extract sensitive information from users' browsing sessions. Additionally, the vulnerability demonstrates characteristics of privilege escalation through browser exploitation, as it allows unauthorized access to resources that should be restricted by cross-origin policies. The security implications extend beyond simple information disclosure, as this weakness could potentially enable more complex attack vectors when combined with other vulnerabilities or when targeting specific user data within cross-origin contexts.
The recommended mitigations for this vulnerability include immediate updates to affected browser versions, implementing proper MIME type validation for all CSS resources, and strengthening the cross-origin resource loading policies within browser implementations. Organizations should ensure that all users are updated to patched versions of Chrome and Safari, while developers should implement proper content security policies in their web applications to minimize the impact of such vulnerabilities. The fix implemented in WebKit r52784 likely involved strengthening the validation mechanisms for cross-origin CSS loading, ensuring that malformed documents or incorrect MIME types properly trigger security restrictions rather than allowing continued processing of potentially malicious content.