W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

XSLT style sheets

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 6 Apr 2011 23:42:13 -0700
Message-ID: <BANLkTineqZ0aS+p8Y8arvvQ2C09a18Wc4A@mail.gmail.com>
To: public-web-security@w3.org
Which CSP directive should control XSLT style sheets?

style-src says:
[[
The style-src directive defines the list of sources that are permitted
to load <link rel="stylesheet"> elements, or external stylesheets.
]]

Is an XSLT an external style sheet?

On the other had, they can be used to inject markup into the document,
so maybe controlling them with script-src is more appropriate?  On yet
a third hand, maybe the markup isn't that dangerous given that it's
subject to the CSP policy?

Tentative recommendation: Control XSLT with style-src.  (Warning: I
haven't though through this recommendation carefully.)

Adam
Received on Thursday, 7 April 2011 06:43:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 April 2011 06:43:14 GMT