W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 14 Apr 2011 15:38:53 -0700
Message-ID: <BANLkTimtDMYWLnSKHW+27AqgeKc_DdEV5w@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Collin Jackson <collin.jackson@sv.cmu.edu>, Bil Corry <bil@corry.biz>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On Thu, Apr 14, 2011 at 1:51 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> On 4/11/11 11:19 AM, Brandon Sterne wrote:
>> On 4/7/11 9:17 AM, Collin Jackson wrote:
>>> I'd like to suggest option 3, which is to block inline styles by default
>>> only if a style-src directive is present (authors can use style-src
>>> 'inline' if they want to use style-src with inline styles).
>>>
>>> Attaching default blocking behaviors to specific directives rather than
>>> to the entirety of CSP makes the spec more extensible and allows us to
>>> support a variety of use cases while still keeping policies simple.
>>
>> I think this is the best solution offered so far.  If there are no
>> objections, I'll make this change to the spec draft as well.
>
> I'm in the process of making this change, and I'm wondering how best to
> extend this to be consistent with script-src.
>
> The proposal is to disable inline style when style-src is present and
> only allow it when the 'inline' keyword is added to style-src.
>
> For script-src, however, adding the 'inline' keyword to script-src is
> less desirable than the disable-xss-protection options token we had
> previously (from the standpoint of conveying sufficient caution when
> enabling inline script).  One option would be to change 'inline' to
> 'inline-style' that only has an effect when declared inside style-src,
> and have a different keyword for inline script, potentially keeping
> 'disable-xss-protection'.  Yes, that would be less consistent
> syntactically, but it would preserve the "Foot Gun Here" element.
>
> Separately, it's somewhat less elegant to say that inline script is
> disabled when any of:
>
>  1. script-src
>  2. object-src
>  3. ...
>
> are present (rather than the single style-src directive), but I haven't
> really heard a better suggestion so far.

One option is to say that inline script is disabled when script-src is
present (i.e., not triggering that restriction on object-src).  The
thought process is that you can't tell the "src" of inline script, so
script-src should block it.

Adam


> Should this list be hard
> coded, or should it be defined in terms of "content loading directives
> that can lead to script execution"?  Of course this list only has two
> items presently, but one could imaging the introduction of a new scripty
> browser feature that would need to be added to the list in the future.
>
> I have most of this change mapped out, but I'll wait to hear back from a
> few folks on this second issue before I push anything out.
>
> Thanks,
> Brandon
>
Received on Thursday, 14 April 2011 22:39:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 14 April 2011 22:39:56 GMT