But this page indicates the problem is much more sinister. Briefly, a page can import CSS from another domain using
@importat a page that doesn't contain CSS, it tries to do "lenient" parsing of CSS, parsing pretty much anything (?) that occurs after a curly brace. This means that if the data you wanna steal is after a curly and formatted the right way, you can nab it, and it's even easier if the target page displays some URL parameters because then you can influence what's on the page.
My question for you: how do you defend your app against these sorts of attacks?