W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: CSP - 'unsafe-inline' for 'style-src' directive, actually unsafe?

From: sec_ext <sec_ext@fb.com>
Date: Mon, 19 Mar 2012 22:36:56 +0000
To: Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CB8D0133.44BC%sec_ext@fb.com>
Hey Adam,

Thanks for the clarification, my main concern was with the "if they wish
to protect themselves against XSS" portion.

Definitely aware of the other associated risks :)

Thanks again


On 3/19/12 3:25 PM, "Adam Barth" <w3c@adambarth.com> wrote:

>On Mon, Mar 19, 2012 at 2:48 PM, sec_ext <sec_ext@fb.com> wrote:
>> In the CSP specification, it states "authors should not include
>> 'unsafe-inline' in their CSP policies if they wish to protect themselves
>> against XSS."
>>
>> It is not entirely clear how allowing inline CSS ('style-src
>> 'unsafe-inline';) can lead to XSS if you are blocking inline and
>>external
>> JS (script-src none;)
>>
>> Will 'script-src none' not block JS attempts in CSS?
>
>CSP forbids any JavaScript from being included in CSS, regardless of
>what policy you use.
>
>> Does it depend on how the spec is implemented (per browser basis)?
>
>As far as I know, all modern browsers have already removed the ability
>to run script from CSS.
>
>> Or, does the spec need to be
>> re-worded to mention that the aforementioned sentence is only applicable
>> to the script-src directive?
>
>There is a security risk to letting folks inject CSS into your
>document, albeit a smaller risk than letting them inject script.
>There was a nice talk at Black Hat a couple years ago that talked
>about the kinds of things an attacker can do by injecting only CSS.
>For example, using attribute selectors and background images, the
>attacker might be able to learn the value of form fields, including
>password fields.
>
>It's mostly a question of your risk tolerance.  There's a large
>security benefit to locking down script-src and object-src.  There's a
>smaller security benefit to locking down style-src.  We should update
>the spec to have some more nuanced text on this topic.
>
>Adam
Received on Monday, 19 March 2012 22:37:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 March 2012 22:37:24 GMT