W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

style-src and inline style

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Apr 2011 11:03:48 -0700
Message-ID: <BANLkTinf2YaNdnhJuF5ui0mqBuR6zvKkkw@mail.gmail.com>
To: public-web-security@w3.org
Why doesn't style-src block inline style?  What's the point of
blocking external style sheets if the attacker can just open a <style>
tag and add whatever styles he or she wants?

Adam
Received on Tuesday, 5 April 2011 18:04:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 April 2011 18:04:47 GMT