W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 11 Apr 2011 11:19:07 -0700
Message-ID: <4DA3461B.6070907@mozilla.com>
To: Collin Jackson <collin.jackson@sv.cmu.edu>
CC: Adam Barth <w3c@adambarth.com>, Bil Corry <bil@corry.biz>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 4/7/11 9:17 AM, Collin Jackson wrote:
> I'd like to suggest option 3, which is to block inline styles by default
> only if a style-src directive is present (authors can use style-src
> 'inline' if they want to use style-src with inline styles).
>  
> I believe the common case for CSP is that authors will not use
> style-src, so they will be able to use inline styles normally without
> any special directives. If they do indicate that they're interested in
> style security by using style-src, they'll get the most secure behavior
> by default until they specify otherwise.
> 
> Attaching default blocking behaviors to specific directives rather than
> to the entirety of CSP makes the spec more extensible and allows us to
> support a variety of use cases while still keeping policies simple.
> 
> Collin 

I think this is the best solution offered so far.  If there are no
objections, I'll make this change to the spec draft as well.

I have 10 items marked for follow-up that I'm hoping to address with
changesets this week.  That's in addition to the detailed editorial
feedback JeffH provided, which I'll also be looking to address in the
next week or three.  I'll reply to relevant posts on the list as I push
the changes.

Thanks,
Brandon
Received on Monday, 11 April 2011 18:19:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 April 2011 18:19:40 GMT