Re: style-src and inline style

On Wed, Apr 6, 2011 at 1:00 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 6 April 2011 01:33, Adam Barth <w3c@adambarth.com> wrote:
>> I guess I don't understand the use case for blocking external style
>> sheets but not inline style.  Why would an author want to do that?
>
> +1
>
> Even if we ignore the XSS threat from style, we don't want an attacker to be
> able to inject:-
> <div style="background:url(//banking?transfer=1337&account=12345)"></div>

That specific case would be controlled by img-src.  Of course, a@href
isn't controlled by CSP, which means the attacker can always mount a
CSRF attack, but that's out of scope.

Adam

Received on Wednesday, 6 April 2011 08:03:49 UTC