W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Apr 2011 17:33:17 -0700
Message-ID: <BANLkTinJPOS_3GybdHdNad1Ek_ro28ZT0g@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org
On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 4/5/11 11:03 AM, Adam Barth wrote:
>> Why doesn't style-src block inline style?  What's the point of
>> blocking external style sheets if the attacker can just open a <style>
>> tag and add whatever styles he or she wants?
>
> currently style-src blocks external loads simply because they are
> external loads (like 'font-src', which arguably could be merged with
> style-src). In-line style isn't an XSS risk--in current browsers,
> anyway--so we left that alone. Is messing with an element's style
> much different from injecting other non-script HTML elements?
>
> The decision was somewhat arbitrary. What tipped it for me was that
> XSS is such a scourge and our main target with CSP that I felt
> justified in being a dictatorial jerk and blocking in-line script by
> default; I couldn't quite argue that for style-src.

I guess I don't understand the use case for blocking external style
sheets but not inline style.  Why would an author want to do that?

Adam
Received on Wednesday, 6 April 2011 00:34:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 00:34:16 GMT