- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 5 Apr 2011 17:51:10 -0700
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Even if I buy that, it seems like the memory corruption attack surface from external style is almost exactly the same as with inline style. You'd need to block both to get that benefit. Adam On Tue, Apr 5, 2011 at 5:43 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > I think the external style file could be used for attacking the > browser with some sort of memory corruption. It has nothing to do with > XSS. > > Replace style with font in the above line and I think the possibility > becomes more acute. > > -devdatta > > On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote: >> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote: >>> On 4/5/11 11:03 AM, Adam Barth wrote: >>>> Why doesn't style-src block inline style? What's the point of >>>> blocking external style sheets if the attacker can just open a <style> >>>> tag and add whatever styles he or she wants? >>> >>> currently style-src blocks external loads simply because they are >>> external loads (like 'font-src', which arguably could be merged with >>> style-src). In-line style isn't an XSS risk--in current browsers, >>> anyway--so we left that alone. Is messing with an element's style >>> much different from injecting other non-script HTML elements? >>> >>> The decision was somewhat arbitrary. What tipped it for me was that >>> XSS is such a scourge and our main target with CSP that I felt >>> justified in being a dictatorial jerk and blocking in-line script by >>> default; I couldn't quite argue that for style-src. >> >> I guess I don't understand the use case for blocking external style >> sheets but not inline style. Why would an author want to do that? >> >> Adam >> >> >
Received on Wednesday, 6 April 2011 00:52:08 UTC