W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 6 Apr 2011 09:48:21 +0100
Message-ID: <BANLkTi=zeDZb3u=UsCDtO5-Vobwn5gL6dQ@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 6 April 2011 09:02, Adam Barth <w3c@adambarth.com> wrote:

> That specific case would be controlled by img-src.  Of course, a@href
> isn't controlled by CSP, which means the attacker can always mount a
> CSRF attack, but that's out of scope.
>

Ok so CSP allows <style> blocks? Then maybe disabling vendor specific
functionality could be a good option (-o-link etc) but then we have CSS
overlay problem, if I can inject inline styles then we can replace the site
UI with something unexpected. I think Adam is right here inline styles are
as much as a problem as inline script IMO.
Received on Wednesday, 6 April 2011 08:48:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 08:48:49 GMT