W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: XSLT style sheets

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 14 Jun 2011 10:33:05 -0700
Message-ID: <4DF79B51.8050700@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Brian Smith <bsmith@mozilla.com>, public-web-security@w3.org
On 06/14/2011 10:10 AM, Adam Barth wrote:
>> So I think we either need to create a different category (xslt-src?) for
>> XSL stylesheets, or lump them with script-src which sites will
>> understand has a higher risk profile.  Thoughts?
> 
> I'd lump them in with script-src.  The problem is that they're
> somewhat obscure and authors aren't going to understand the security
> implications.  If you and I didn't get it right the first time, what
> chance do author's have?
> 
> Adam

Okay, this sounds fine.  Giorio seems to agree.  I'll wait to see if
there are objections, otherwise I'll make this change.  It is troubling
that some of these technologies are so poorly understood, even by us
"experts". I think putting XSLT with script-src has the advantage that
most users will understand that trusting a site to serve script has a
high amount of risk, and any risk aversion will automatically transfer
to XSLT as well.  This would not be the case if we created xslt-src,
which most sites would be unlikely to specify, and could inadvertently
permit this functionality through default-src.

Cheers,
Brandon
Received on Tuesday, 14 June 2011 17:32:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 June 2011 17:32:09 GMT