W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

CSP, style-src, and what it means to ignore style attributes

From: L. David Baron <dbaron@dbaron.org>
Date: Fri, 2 Nov 2012 10:29:28 +0100
To: public-webappsec@w3.org
Message-ID: <20121102092928.GA16256@crum.dbaron.org>
http://www.w3.org/TR/CSP/#style-src describes a mechanism through
which a CSP directive can say that the user agent must ignore style
from style attributes.  But it doesn't really say exactly what must
be ignored, nor does it say at what level it must be ignored.

It's not clear to me what the goal of this CSP feature is, that is,
what the threat model is that it's trying to protect against.

Without knowing that, it's not possible for me to review the patch
to Mozilla to implement this feature in
https://bugzilla.mozilla.org/show_bug.cgi?id=763879 .

I think the specification should describe what should be ignored in
a way that answers the following questions (and others) in such a
way that is consistent with the threat model that this CSP feature
is designed to protect against:

 (1) Is it acceptable to parse the contents of a style attribute and
 then not apply the style, or must the contents not be parsed?

 (2) Should other inline styles (such as background images specified
 using presentational HTML attributes) be ignored at the same time?
 (If the threat model has something to do with the ability to load
 resources from style attributes, it would seem like the answer here
 must be yes.)

 (3) Should the user agent ignore only style attributes that are
 present in the markup, or should other mechanisms that set style
 attributes (e.g., element.style access from script, SMIL animation)
 also be blocked?

 (4) Is it acceptable to load external resources referenced from
 such a style attribute, as long as those resources aren't used (for
 what definition of used)?

-David

-- 
𝄞   L. David Baron                         http://dbaron.org/   𝄂
𝄢   Mozilla                           http://www.mozilla.org/   𝄂
Received on Friday, 2 November 2012 09:29:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 09:29:55 GMT