Re: style-src and inline style from Collin Jackson on 2011-04-07 (public-web-security@w3.org from April 2011)

From: Collin Jackson <collin.jackson@sv.cmu.edu>
Date: Thu, 7 Apr 2011 12:17:54 -0400
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Adam Barth <w3c@adambarth.com>, Bil Corry <bil@corry.biz>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <BANLkTim6RQO89hP58V978Df7YXPWh0Tn1A@mail.gmail.com>

On Thu, Apr 7, 2011 at 11:50 AM, Brandon Sterne <bsterne@mozilla.com> wrote:

> I suppose we're talking about an aesthetic decision we have to make.  Do
> people prefer to:
> 1. disable inline style by default and enable it with extra policy?
> 2. leave inline style intact

There's also enabling inline style by default and disabling it with
> extra policy, but that's even less consistent than 2. /shrug/
>

I'd like to suggest option 3, which is to block inline styles by default
only if a style-src directive is present (authors can use style-src 'inline'
if they want to use style-src with inline styles).

> I personally prefer 2, mostly because I place a premium on sites being
> able to write simple policies in the majority of cases.  I believe
> (hope?) the common case for CSP will be a site that uses inline style
> but blocks inline script.  I'm not religiously opposed to 1, though.

I believe the common case for CSP is that authors will not use style-src, so
they will be able to use inline styles normally without any special
directives. If they do indicate that they're interested in style security by
using style-src, they'll get the most secure behavior by default until they
specify otherwise.

Attaching default blocking behaviors to specific directives rather than to
the entirety of CSP makes the spec more extensible and allows us to support
a variety of use cases while still keeping policies simple.

Collin

>

Received on Thursday, 7 April 2011 16:27:13 UTC