W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: XSLT style sheets

From: Brian Smith <bsmith@mozilla.com>
Date: Fri, 10 Jun 2011 16:57:02 -0700 (PDT)
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org, Adam Barth <w3c@adambarth.com>
Message-ID: <1197006949.175947.1307750222945.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Brandon Sterne wrote:
> On 4/6/11 11:42 PM, Adam Barth wrote:
> > Tentative recommendation: Control XSLT with style-src. (Warning: I
> > haven't though through this recommendation carefully.)
> 
> I just pushed a changeset that adds XSLT stylesheets to the style-src
> directive:
> https://dvcs.w3.org/hg/content-security-policy/rev/6f4cab889cb5
> 
> I agree that this makes the most sense semantically, and adds no real
> XSS attack surface since any script (or other resources) that the
> stylesheet adds will be subject to the "original" document's CSP. I
> suppose this last point should be made explicit in the spec. I'll add
> that to my issue tracker.

How would CSP affect the document() function in XSLT, which can import nodes from external documents?

CSS can change how a page is displayed, but XSLT actually changes the content of the page. XSLT is a turing-complete, though tedious, programming functional programming language. IIRC, there are various XSLT extensions that are potentially dangerous, but I don't know if any browsers implement them. XSLT seems much more like JavaScript than it is like CSS. 

If I were a content author, I would very much like to block all XSLT, completely, without having to block JS or CSS.

Cheers,
Brian
Received on Tuesday, 14 June 2011 00:37:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC