W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 6 Apr 2011 13:14:49 -0700
Message-ID: <BANLkTimcLmifUz+sxhiKkx0ysD8C4cUw7A@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Collin Jackson <collin.jackson@sv.cmu.edu>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On Wed, Apr 6, 2011 at 12:56 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> On 04/06/2011 12:33 PM, Collin Jackson wrote:
>> On Wed, Apr 6, 2011 at 11:40 AM, Brandon Sterne <bsterne@mozilla.com
>> <mailto:bsterne@mozilla.com>> wrote:
>>
>>     Personally, I think consistency is desirable, but not if it makes the
>>     work of CSP server implementors necessarily hard ("now go remove all
>>     instances of inline style") for limited benefit.
>>
>>
>> Presumably most authors are not going to use style-src since it doesn't
>> solve any XSS problems. Blocking inline styles for people who do use
>> style-src seems both consistent and desirable.
>
> What about a secure site that only wants to load their stylesheet over
> TLS?  It is asking them to do quite a lot of work if we require they
> remove all inline CSS.

I think supporting the "no mixed content" use case is valuable, but it
seems like folks will have a similar problem with script-src as you're
describing with style-src.  If I just want to block mixed content, why
do I need to do all the work to remove inline script?

Adam
Received on Wednesday, 6 April 2011 20:15:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 April 2011 20:15:48 GMT