W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 6 Apr 2011 09:00:54 +0100
Message-ID: <BANLkTi=x9kf48WFN6Ecis2yFVpmyuHKJUg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 6 April 2011 01:33, Adam Barth <w3c@adambarth.com> wrote:

> I guess I don't understand the use case for blocking external style
> sheets but not inline style.  Why would an author want to do that?
>

+1

Even if we ignore the XSS threat from style, we don't want an attacker to be
able to inject:-
<div style="background:url(//banking?transfer=1337&account=12345)"></div>
Received on Wednesday, 6 April 2011 08:01:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 08:01:23 GMT