W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 6 Apr 2011 09:00:54 +0100
Message-ID: <BANLkTi=x9kf48WFN6Ecis2yFVpmyuHKJUg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 6 April 2011 01:33, Adam Barth <w3c@adambarth.com> wrote:

> I guess I don't understand the use case for blocking external style
> sheets but not inline style.  Why would an author want to do that?


Even if we ignore the XSS threat from style, we don't want an attacker to be
able to inject:-
<div style="background:url(//banking?transfer=1337&account=12345)"></div>
Received on Wednesday, 6 April 2011 08:01:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC