W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: XSLT style sheets

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 7 Apr 2011 22:08:53 -0700
Message-ID: <BANLkTimot5aBrsVicwQYMcznoQ-awp9c0Q@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: public-web-security@w3.org
On Thu, Apr 7, 2011 at 4:53 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 07.04.2011 08:42, Adam Barth wrote:
>>
>> Which CSP directive should control XSLT style sheets?
>>
>> style-src says:
>> [[
>> The style-src directive defines the list of sources that are permitted
>> to load<link rel="stylesheet">  elements, or external stylesheets.
>> ]]
>>
>> Is an XSLT an external style sheet?
>>
>> On the other had, they can be used to inject markup into the document,
>> so maybe controlling them with script-src is more appropriate?  On yet
>> ...
>
> Is "inject" the right term here? After all, applying XSLT yields a new
> document, no?

That's a somewhat zen question.  The net result is that the XSLT gets
to choose the DOM that executes in the document's original security
context.

Adam
Received on Friday, 8 April 2011 05:09:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 8 April 2011 05:09:54 GMT