W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

CSP - 'unsafe-inline' for 'style-src' directive, actually unsafe?

From: sec_ext <sec_ext@fb.com>
Date: Mon, 19 Mar 2012 21:48:02 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CB8CF7A0.44B0%sec_ext@fb.com>
In the CSP specification, it states "authors should not include
'unsafe-inline' in their CSP policies if they wish to protect themselves
against XSS."

It is not entirely clear how allowing inline CSS ('style-src
'unsafe-inline';) can lead to XSS if you are blocking inline and external
JS (script-src none;)

Will 'script-src none' not block JS attempts in CSS? Does it depend on how
the spec is implemented (per browser basis)? Or, does the spec need to be
re-worded to mention that the aforementioned sentence is only applicable
to the script-src directive?

Thanks





 
Received on Monday, 19 March 2012 21:48:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 March 2012 21:48:32 GMT