Cross-site scripting attacks are dangerous, and common enough that you're all probably familiar with them. Unfortunately that last word, "scripting", has ensured that our collective understanding of injection attacks remains fundamentally tied up with JavaScript. Cross-site _styling_ is actually more capable than you might expect; it's quite possible to exfiltrate sensitive data (like passwords!) without any script at all. This talk will walk through some of the cleverly malicious activity that CSS makes possible, and discuss some mechanisms for mitigating the risk that your sites and applications might be affected.