Re: style-src and inline style from Devdatta Akhawe on 2011-04-06 (public-web-security@w3.org from April 2011)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 5 Apr 2011 18:01:16 -0700
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <BANLkTikHAGxVpt-Hd9s7+Gx3dZ9iCV9nQw@mail.gmail.com>

I don't have much experience of how browsers internally work, but
Daniel's reply made me think that there is some attack surface for all
`external loads,' which is why CSP default-denies all external loads,
including CSS style files.

=devdatta

On 5 April 2011 17:51, Adam Barth <w3c@adambarth.com> wrote:
> Even if I buy that, it seems like the memory corruption attack surface
> from external style is almost exactly the same as with inline style.
> You'd need to block both to get that benefit.
>
> Adam
>
>
> On Tue, Apr 5, 2011 at 5:43 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> I think the external style file could be used for attacking the
>> browser with some sort of memory corruption. It has nothing to do with
>> XSS.
>>
>> Replace style with font in the above line and I think the possibility
>> becomes more acute.
>>
>> -devdatta
>>
>> On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote:
>>> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>>> On 4/5/11 11:03 AM, Adam Barth wrote:
>>>>> Why doesn't style-src block inline style?  What's the point of
>>>>> blocking external style sheets if the attacker can just open a <style>
>>>>> tag and add whatever styles he or she wants?
>>>>
>>>> currently style-src blocks external loads simply because they are
>>>> external loads (like 'font-src', which arguably could be merged with
>>>> style-src). In-line style isn't an XSS risk--in current browsers,
>>>> anyway--so we left that alone. Is messing with an element's style
>>>> much different from injecting other non-script HTML elements?
>>>>
>>>> The decision was somewhat arbitrary. What tipped it for me was that
>>>> XSS is such a scourge and our main target with CSP that I felt
>>>> justified in being a dictatorial jerk and blocking in-line script by
>>>> default; I couldn't quite argue that for style-src.
>>>
>>> I guess I don't understand the use case for blocking external style
>>> sheets but not inline style.  Why would an author want to do that?
>>>
>>> Adam
>>>
>>>
>>
>

Received on Wednesday, 6 April 2011 01:02:03 UTC