- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 2 Nov 2012 10:30:11 -0700
- To: "L. David Baron" <dbaron@dbaron.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Would the following text answer these questions to your satisfaction?
@@ -791,16 +791,15 @@
<code>style</code> element, instead the user agent <code>MUST</code>
ignore the style.</li>
- <li>Whenever the user agent would apply style from a
- <code>style</code> attribute, instead the user agent
- <code>MUST</code> ignore the style.</li>
+ <li>When determining the value for an element/CSS property
combination
+ (care of Section 6.4.1 of [[!CSS21]]), the user agent
<code>MUST</code>
+ ignore declarations from <code>style</code> attributes (in
the sense of
+ the first bullet in Section 6.4.3 of [[!CSS21]]).</li>
</ul>
<p>Note: These restrictions on inline do not prevent the user agent
from applying style from an external stylesheet (e.g., found via
- <code><link rel="stylesheet"></code>). The user agent is also
- not prevented from applying style from Cascading Style Sheets Object
- Model (CSSOM). [[!CSSOM]]</p>
+ <code><link rel="stylesheet"></code>).</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
On Fri, Nov 2, 2012 at 2:29 AM, L. David Baron <dbaron@dbaron.org> wrote:
> http://www.w3.org/TR/CSP/#style-src describes a mechanism through
> which a CSP directive can say that the user agent must ignore style
> from style attributes. But it doesn't really say exactly what must
> be ignored, nor does it say at what level it must be ignored.
>
> It's not clear to me what the goal of this CSP feature is, that is,
> what the threat model is that it's trying to protect against.
>
> Without knowing that, it's not possible for me to review the patch
> to Mozilla to implement this feature in
> https://bugzilla.mozilla.org/show_bug.cgi?id=763879 .
>
> I think the specification should describe what should be ignored in
> a way that answers the following questions (and others) in such a
> way that is consistent with the threat model that this CSP feature
> is designed to protect against:
>
> (1) Is it acceptable to parse the contents of a style attribute and
> then not apply the style, or must the contents not be parsed?
>
> (2) Should other inline styles (such as background images specified
> using presentational HTML attributes) be ignored at the same time?
> (If the threat model has something to do with the ability to load
> resources from style attributes, it would seem like the answer here
> must be yes.)
>
> (3) Should the user agent ignore only style attributes that are
> present in the markup, or should other mechanisms that set style
> attributes (e.g., element.style access from script, SMIL animation)
> also be blocked?
>
> (4) Is it acceptable to load external resources referenced from
> such a style attribute, as long as those resources aren't used (for
> what definition of used)?
>
> -David
>
> --
> 𝄞 L. David Baron http://dbaron.org/ 𝄂
> 𝄢 Mozilla http://www.mozilla.org/ 𝄂
>
Received on Friday, 2 November 2012 17:31:11 UTC