W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: CSP - 'unsafe-inline' for 'style-src' directive, actually unsafe?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 19 Mar 2012 15:25:50 -0700
Message-ID: <CAJE5ia-O6UYX=uyo1AhmL2swfEgpsGjBa=ngDCtgMT=miU_esQ@mail.gmail.com>
To: sec_ext <sec_ext@fb.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 19, 2012 at 2:48 PM, sec_ext <sec_ext@fb.com> wrote:
> In the CSP specification, it states "authors should not include
> 'unsafe-inline' in their CSP policies if they wish to protect themselves
> against XSS."
>
> It is not entirely clear how allowing inline CSS ('style-src
> 'unsafe-inline';) can lead to XSS if you are blocking inline and external
> JS (script-src none;)
>
> Will 'script-src none' not block JS attempts in CSS?

CSP forbids any JavaScript from being included in CSS, regardless of
what policy you use.

> Does it depend on how the spec is implemented (per browser basis)?

As far as I know, all modern browsers have already removed the ability
to run script from CSS.

> Or, does the spec need to be
> re-worded to mention that the aforementioned sentence is only applicable
> to the script-src directive?

There is a security risk to letting folks inject CSS into your
document, albeit a smaller risk than letting them inject script.
There was a nice talk at Black Hat a couple years ago that talked
about the kinds of things an attacker can do by injecting only CSS.
For example, using attribute selectors and background images, the
attacker might be able to learn the value of form fields, including
password fields.

It's mostly a question of your risk tolerance.  There's a large
security benefit to locking down script-src and object-src.  There's a
smaller security benefit to locking down style-src.  We should update
the spec to have some more nuanced text on this topic.

Adam
Received on Monday, 19 March 2012 22:26:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 March 2012 22:26:51 GMT