Third party CSS is not safe - JakeArchibald.com
After a recent flurry of worry online around a CSS keylogger, Jake points out the real issue (emphasis mine):
Some folks called for browsers to ‘fix’ it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is ‘safe’.