W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: CSP, style-src, and what it means to ignore style attributes

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 2 Nov 2012 10:30:11 -0700
Message-ID: <CAJE5ia-Rn_7N55gzEazZF6QMuZtxnFCpZFx7V-K=LxHoyEKxxA@mail.gmail.com>
To: "L. David Baron" <dbaron@dbaron.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Would the following text answer these questions to your satisfaction?

@@ -791,16 +791,15 @@
           <code>style</code> element, instead the user agent <code>MUST</code>
           ignore the style.</li>

-          <li>Whenever the user agent would apply style from a
-          <code>style</code> attribute, instead the user agent
-          <code>MUST</code> ignore the style.</li>
+          <li>When determining the value for an element/CSS property
combination
+          (care of Section 6.4.1 of [[!CSS21]]), the user agent
<code>MUST</code>
+          ignore declarations from <code>style</code> attributes (in
the sense of
+          the first bullet in Section 6.4.3 of [[!CSS21]]).</li>
         </ul>

         <p>Note: These restrictions on inline do not prevent the user agent
         from applying style from an external stylesheet (e.g., found via
-        <code>&lt;link rel="stylesheet"&gt;</code>). The user agent is also
-        not prevented from applying style from Cascading Style Sheets Object
-        Model (CSSOM). [[!CSSOM]]</p>
+        <code>&lt;link rel="stylesheet"&gt;</code>).</p>

         <p>Whenever the user agent <a
         href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>


On Fri, Nov 2, 2012 at 2:29 AM, L. David Baron <dbaron@dbaron.org> wrote:
> http://www.w3.org/TR/CSP/#style-src describes a mechanism through
> which a CSP directive can say that the user agent must ignore style
> from style attributes.  But it doesn't really say exactly what must
> be ignored, nor does it say at what level it must be ignored.
>
> It's not clear to me what the goal of this CSP feature is, that is,
> what the threat model is that it's trying to protect against.
>
> Without knowing that, it's not possible for me to review the patch
> to Mozilla to implement this feature in
> https://bugzilla.mozilla.org/show_bug.cgi?id=763879 .
>
> I think the specification should describe what should be ignored in
> a way that answers the following questions (and others) in such a
> way that is consistent with the threat model that this CSP feature
> is designed to protect against:
>
>  (1) Is it acceptable to parse the contents of a style attribute and
>  then not apply the style, or must the contents not be parsed?
>
>  (2) Should other inline styles (such as background images specified
>  using presentational HTML attributes) be ignored at the same time?
>  (If the threat model has something to do with the ability to load
>  resources from style attributes, it would seem like the answer here
>  must be yes.)
>
>  (3) Should the user agent ignore only style attributes that are
>  present in the markup, or should other mechanisms that set style
>  attributes (e.g., element.style access from script, SMIL animation)
>  also be blocked?
>
>  (4) Is it acceptable to load external resources referenced from
>  such a style attribute, as long as those resources aren't used (for
>  what definition of used)?
>
> -David
>
> --
> 𝄞   L. David Baron                         http://dbaron.org/   𝄂
> 𝄢   Mozilla                           http://www.mozilla.org/   𝄂
>
Received on Friday, 2 November 2012 17:31:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 17:31:12 GMT