W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 5 Apr 2011 17:43:39 -0700
Message-ID: <BANLkTi=2LG8XM1A46iMmPy83AF1zThTJMA@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
I think the external style file could be used for attacking the
browser with some sort of memory corruption. It has nothing to do with
XSS.

Replace style with font in the above line and I think the possibility
becomes more acute.

-devdatta

On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote:
> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> On 4/5/11 11:03 AM, Adam Barth wrote:
>>> Why doesn't style-src block inline style?  What's the point of
>>> blocking external style sheets if the attacker can just open a <style>
>>> tag and add whatever styles he or she wants?
>>
>> currently style-src blocks external loads simply because they are
>> external loads (like 'font-src', which arguably could be merged with
>> style-src). In-line style isn't an XSS risk--in current browsers,
>> anyway--so we left that alone. Is messing with an element's style
>> much different from injecting other non-script HTML elements?
>>
>> The decision was somewhat arbitrary. What tipped it for me was that
>> XSS is such a scourge and our main target with CSP that I felt
>> justified in being a dictatorial jerk and blocking in-line script by
>> default; I couldn't quite argue that for style-src.
>
> I guess I don't understand the use case for blocking external style
> sheets but not inline style.  Why would an author want to do that?
>
> Adam
>
>
Received on Wednesday, 6 April 2011 00:44:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 00:44:27 GMT