- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Fri, 10 Jun 2011 16:41:14 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 4/6/11 11:42 PM, Adam Barth wrote: > Which CSP directive should control XSLT style sheets? > > style-src says: > [[ > The style-src directive defines the list of sources that are permitted > to load <link rel="stylesheet"> elements, or external stylesheets. > ]] > > Is an XSLT an external style sheet? > > On the other had, they can be used to inject markup into the document, > so maybe controlling them with script-src is more appropriate? On yet > a third hand, maybe the markup isn't that dangerous given that it's > subject to the CSP policy? > > Tentative recommendation: Control XSLT with style-src. (Warning: I > haven't though through this recommendation carefully.) I just pushed a changeset that adds XSLT stylesheets to the style-src directive: https://dvcs.w3.org/hg/content-security-policy/rev/6f4cab889cb5 I agree that this makes the most sense semantically, and adds no real XSS attack surface since any script (or other resources) that the stylesheet adds will be subject to the "original" document's CSP. I suppose this last point should be made explicit in the spec. I'll add that to my issue tracker. Cheers, Brandon
Received on Friday, 10 June 2011 23:41:43 UTC