W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: XSLT style sheets

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 07 Apr 2011 13:53:10 +0200
Message-ID: <4D9DA5A6.2010603@gmx.de>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 07.04.2011 08:42, Adam Barth wrote:
> Which CSP directive should control XSLT style sheets?
>
> style-src says:
> [[
> The style-src directive defines the list of sources that are permitted
> to load<link rel="stylesheet">  elements, or external stylesheets.
> ]]
>
> Is an XSLT an external style sheet?
>
> On the other had, they can be used to inject markup into the document,
> so maybe controlling them with script-src is more appropriate?  On yet
> ...

Is "inject" the right term here? After all, applying XSLT yields a new 
document, no?

BR, Julian
Received on Thursday, 7 April 2011 11:53:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 April 2011 11:53:46 GMT