- From: Brian Smith <bsmith@mozilla.com>
- Date: Fri, 10 Jun 2011 16:57:02 -0700 (PDT)
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-web-security@w3.org, Adam Barth <w3c@adambarth.com>
Brandon Sterne wrote: > On 4/6/11 11:42 PM, Adam Barth wrote: > > Tentative recommendation: Control XSLT with style-src. (Warning: I > > haven't though through this recommendation carefully.) > > I just pushed a changeset that adds XSLT stylesheets to the style-src > directive: > https://dvcs.w3.org/hg/content-security-policy/rev/6f4cab889cb5 > > I agree that this makes the most sense semantically, and adds no real > XSS attack surface since any script (or other resources) that the > stylesheet adds will be subject to the "original" document's CSP. I > suppose this last point should be made explicit in the spec. I'll add > that to my issue tracker. How would CSP affect the document() function in XSLT, which can import nodes from external documents? CSS can change how a page is displayed, but XSLT actually changes the content of the page. XSLT is a turing-complete, though tedious, programming functional programming language. IIRC, there are various XSLT extensions that are potentially dangerous, but I don't know if any browsers implement them. XSLT seems much more like JavaScript than it is like CSS. If I were a content author, I would very much like to block all XSLT, completely, without having to block JS or CSS. Cheers, Brian
Received on Tuesday, 14 June 2011 00:37:10 UTC