- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Wed, 06 Apr 2011 11:40:58 -0700
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 4/6/11 1:48 AM, gaz Heyes wrote:
> Ok so CSP allows <style> blocks? Then maybe disabling vendor specific
> functionality could be a good option (-o-link etc) but then we have CSS
> overlay problem, if I can inject inline styles then we can replace the
> site UI with something unexpected.
CSP currently allows both <style> blocks as well as the style attribute
on individual elements.
> I think Adam is right here inline
> styles are as much as a problem as inline script IMO.
I don't think that's what Adam was saying, nor do I agree with this.
What I hear Adam saying is that this is inconsistent, which it is, but
was justified for the reasons Dan mentioned: 1) CSP is primarily geared
toward preventing XSS, 2) CSP provides a bunch of levers for restricting
the loading of sub-document resources, stylesheets being one type.
Personally, I think consistency is desirable, but not if it makes the
work of CSP server implementors necessarily hard ("now go remove all
instances of inline style") for limited benefit.
-Brandon
Received on Wednesday, 6 April 2011 18:41:26 UTC