W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Brandon Sterne <bsterne@mozilla.com>
Date: Thu, 07 Apr 2011 08:50:42 -0700
Message-ID: <4D9DDD52.6010407@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Bil Corry <bil@corry.biz>, Collin Jackson <collin.jackson@sv.cmu.edu>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 04/07/2011 12:05 AM, Adam Barth wrote:
> On Thu, Apr 7, 2011 at 12:00 AM, Bil Corry <bil@corry.biz> wrote:
>> One use case to consider: I want to allow only HTTPS stylesheets, and allow
>> inline styles specifically for framebusting:
>>
>>        https://www.codemagi.com/blog/post/194
> 
> Sure, but that would work if there was an "allow-inline-style" option
> (or if you could use the frame-ancestors directive).
> 
> Adam

So, it's obvious there are use cases for enabling inline style.  I'm not
super compelled by the case for blocking inline style other than
consistency, which I agree is nice to have.  Locking down all CSS to
external stylesheets might be desirable for a high assurance web site.

I suppose we're talking about an aesthetic decision we have to make.  Do
people prefer to:
1. disable inline style by default and enable it with extra policy?
2. leave inline style intact

There's also enabling inline style by default and disabling it with
extra policy, but that's even less consistent than 2. /shrug/

I personally prefer 2, mostly because I place a premium on sites being
able to write simple policies in the majority of cases.  I believe
(hope?) the common case for CSP will be a site that uses inline style
but blocks inline script.  I'm not religiously opposed to 1, though.

-Brandon
Received on Thursday, 7 April 2011 15:48:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 April 2011 15:48:06 GMT