W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Apr 2011 18:37:18 -0700
Message-ID: <BANLkTikE1AVtqOjKG9JHXp7WEgCzhjq93w@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On Tue, Apr 5, 2011 at 6:29 PM, sird@rckc.at <sird@rckc.at> wrote:
> If styles are not blocked by CSP, you can make XSS attacks without JS,
> I always thought that was why CSP blocked all external requests..

CSP does block script in CSS, if that's what you're referring too.
Banning script in CSS takes place regardless of the presence of
style-src.

If course, if you're talking about CSS3 shenanigans, then that's a
horse of a different color.

Adam


> Though, in this case it doesn't make much sense so I'm not even sure
> of that, but it does makes sense for img-src and etc..
>
> On Tue, Apr 5, 2011 at 8:01 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> I don't have much experience of how browsers internally work, but
>> Daniel's reply made me think that there is some attack surface for all
>> `external loads,' which is why CSP default-denies all external loads,
>> including CSS style files.
>>
>> =devdatta
>>
>> On 5 April 2011 17:51, Adam Barth <w3c@adambarth.com> wrote:
>>> Even if I buy that, it seems like the memory corruption attack surface
>>> from external style is almost exactly the same as with inline style.
>>> You'd need to block both to get that benefit.
>>>
>>> Adam
>>>
>>>
>>> On Tue, Apr 5, 2011 at 5:43 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>> I think the external style file could be used for attacking the
>>>> browser with some sort of memory corruption. It has nothing to do with
>>>> XSS.
>>>>
>>>> Replace style with font in the above line and I think the possibility
>>>> becomes more acute.
>>>>
>>>> -devdatta
>>>>
>>>> On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote:
>>>>> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>>>>> On 4/5/11 11:03 AM, Adam Barth wrote:
>>>>>>> Why doesn't style-src block inline style?  What's the point of
>>>>>>> blocking external style sheets if the attacker can just open a <style>
>>>>>>> tag and add whatever styles he or she wants?
>>>>>>
>>>>>> currently style-src blocks external loads simply because they are
>>>>>> external loads (like 'font-src', which arguably could be merged with
>>>>>> style-src). In-line style isn't an XSS risk--in current browsers,
>>>>>> anyway--so we left that alone. Is messing with an element's style
>>>>>> much different from injecting other non-script HTML elements?
>>>>>>
>>>>>> The decision was somewhat arbitrary. What tipped it for me was that
>>>>>> XSS is such a scourge and our main target with CSP that I felt
>>>>>> justified in being a dictatorial jerk and blocking in-line script by
>>>>>> default; I couldn't quite argue that for style-src.
>>>>>
>>>>> I guess I don't understand the use case for blocking external style
>>>>> sheets but not inline style.  Why would an author want to do that?
>>>>>
>>>>> Adam
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
Received on Wednesday, 6 April 2011 01:38:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 01:38:17 GMT