W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 05 Apr 2011 17:07:23 -0700
Message-ID: <4D9BAEBB.5070902@mozilla.com>
To: public-web-security@w3.org
On 4/5/11 11:03 AM, Adam Barth wrote:
> Why doesn't style-src block inline style?  What's the point of
> blocking external style sheets if the attacker can just open a <style>
> tag and add whatever styles he or she wants?

currently style-src blocks external loads simply because they are
external loads (like 'font-src', which arguably could be merged with
style-src). In-line style isn't an XSS risk--in current browsers,
anyway--so we left that alone. Is messing with an element's style
much different from injecting other non-script HTML elements?

The decision was somewhat arbitrary. What tipped it for me was that
XSS is such a scourge and our main target with CSP that I felt
justified in being a dictatorial jerk and blocking in-line script by
default; I couldn't quite argue that for style-src.

-Dan Veditz
Received on Wednesday, 6 April 2011 00:07:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 00:08:00 GMT