W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 06 Apr 2011 11:40:58 -0700
Message-ID: <4D9CB3BA.4070405@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 4/6/11 1:48 AM, gaz Heyes wrote:
> Ok so CSP allows <style> blocks? Then maybe disabling vendor specific
> functionality could be a good option (-o-link etc) but then we have CSS
> overlay problem, if I can inject inline styles then we can replace the
> site UI with something unexpected.

CSP currently allows both <style> blocks as well as the style attribute
on individual elements.

> I think Adam is right here inline
> styles are as much as a problem as inline script IMO.

I don't think that's what Adam was saying, nor do I agree with this.
What I hear Adam saying is that this is inconsistent, which it is, but
was justified for the reasons Dan mentioned: 1) CSP is primarily geared
toward preventing XSS, 2) CSP provides a bunch of levers for restricting
the loading of sub-document resources, stylesheets being one type.

Personally, I think consistency is desirable, but not if it makes the
work of CSP server implementors necessarily hard ("now go remove all
instances of inline style") for limited benefit.

Received on Wednesday, 6 April 2011 18:41:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC