W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 06 Apr 2011 11:40:58 -0700
Message-ID: <4D9CB3BA.4070405@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 4/6/11 1:48 AM, gaz Heyes wrote:
> Ok so CSP allows <style> blocks? Then maybe disabling vendor specific
> functionality could be a good option (-o-link etc) but then we have CSS
> overlay problem, if I can inject inline styles then we can replace the
> site UI with something unexpected.

CSP currently allows both <style> blocks as well as the style attribute
on individual elements.

> I think Adam is right here inline
> styles are as much as a problem as inline script IMO.

I don't think that's what Adam was saying, nor do I agree with this.
What I hear Adam saying is that this is inconsistent, which it is, but
was justified for the reasons Dan mentioned: 1) CSP is primarily geared
toward preventing XSS, 2) CSP provides a bunch of levers for restricting
the loading of sub-document resources, stylesheets being one type.

Personally, I think consistency is desirable, but not if it makes the
work of CSP server implementors necessarily hard ("now go remove all
instances of inline style") for limited benefit.

-Brandon
Received on Wednesday, 6 April 2011 18:41:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 18:41:27 GMT