Re: style-src and inline style

On 6 April 2011 09:02, Adam Barth <w3c@adambarth.com> wrote:

> That specific case would be controlled by img-src.  Of course, a@href
> isn't controlled by CSP, which means the attacker can always mount a
> CSRF attack, but that's out of scope.
>

Ok so CSP allows <style> blocks? Then maybe disabling vendor specific
functionality could be a good option (-o-link etc) but then we have CSS
overlay problem, if I can inject inline styles then we can replace the site
UI with something unexpected. I think Adam is right here inline styles are
as much as a problem as inline script IMO.

Received on Wednesday, 6 April 2011 08:48:48 UTC