W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Apr 2011 17:33:17 -0700
Message-ID: <BANLkTinJPOS_3GybdHdNad1Ek_ro28ZT0g@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org
On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 4/5/11 11:03 AM, Adam Barth wrote:
>> Why doesn't style-src block inline style?  What's the point of
>> blocking external style sheets if the attacker can just open a <style>
>> tag and add whatever styles he or she wants?
> currently style-src blocks external loads simply because they are
> external loads (like 'font-src', which arguably could be merged with
> style-src). In-line style isn't an XSS risk--in current browsers,
> anyway--so we left that alone. Is messing with an element's style
> much different from injecting other non-script HTML elements?
> The decision was somewhat arbitrary. What tipped it for me was that
> XSS is such a scourge and our main target with CSP that I felt
> justified in being a dictatorial jerk and blocking in-line script by
> default; I couldn't quite argue that for style-src.

I guess I don't understand the use case for blocking external style
sheets but not inline style.  Why would an author want to do that?

Received on Wednesday, 6 April 2011 00:34:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC