W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: CSP and inline styles

From: L. David Baron <dbaron@dbaron.org>
Date: Fri, 2 Nov 2012 11:01:54 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: Ian Melven <imelven@mozilla.com>, public-webappsec@w3.org, Jonas Sicking <jonas@sicking.cc>
Message-ID: <20121102100154.GA17034@crum.dbaron.org>
On Monday 2012-10-22 15:28 -0700, Adam Barth wrote:
> The main threat we're trying to protect against is attackers who can
> inject markup into a document using CSS3 attribute selectors to steal
> passwords (and other data) store in input element attributes.  Also,
> we're worried about future evolution of CSS increasing this risk.

When are passwords and other data typically stored in input element
attributes?  When users edit the value in a form control, the change
to the current value of the control does not change values of
attributes, which represent the default value.  So the only thing
attribute selectors can select on is the default value, not the
current value.  (The exception to this is <details>.)

Also, if issues with selectors are the security risk that you're
trying to address, it's not clear to me why you need to block style
attributes at all (unless you're expecting the proposal to support
selectors in the style attribute to be implemented sometime).

-David

-- 
𝄞   L. David Baron                         http://dbaron.org/   𝄂
𝄢   Mozilla                           http://www.mozilla.org/   𝄂
Received on Friday, 2 November 2012 10:02:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 10:02:22 GMT