On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 4/5/11 11:03 AM, Adam Barth wrote: >> Why doesn't style-src block inline style? What's the point of >> blocking external style sheets if the attacker can just open a <style> >> tag and add whatever styles he or she wants? > > currently style-src blocks external loads simply because they are > external loads (like 'font-src', which arguably could be merged with > style-src). In-line style isn't an XSS risk--in current browsers, > anyway--so we left that alone. Is messing with an element's style > much different from injecting other non-script HTML elements? > > The decision was somewhat arbitrary. What tipped it for me was that > XSS is such a scourge and our main target with CSP that I felt > justified in being a dictatorial jerk and blocking in-line script by > default; I couldn't quite argue that for style-src. I guess I don't understand the use case for blocking external style sheets but not inline style. Why would an author want to do that? AdamReceived on Wednesday, 6 April 2011 00:34:15 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 00:34:16 GMT