W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP and inline styles

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 22 Oct 2012 22:31:16 -0400
Message-ID: <50860174.2060909@mit.edu>
To: public-webappsec@w3.org
On 10/22/12 6:28 PM, Adam Barth wrote:
>> * doc.body.setAttribute("style", "...");
>
> These are blocked.
>
>> * doc.body.style.background = "...";
>
> These are not blocked.

Once again, these are functionally equivalent given cssText.  And it's 
actually _more_ work, both in spec terms and in terms of implementation 
(at least in Gecko) to block one but not the other.  So I'm still not 
sure why we're blocking one but not the other...  We should just block 
all inline style and be done with it, instead of worrying exactly how it 
was set.

> That's correct, but we need to stop somewhere.  An attacker who can
> inject markup into a document cannot add code that assign arbitrary
> values to element.style.background.

Nor can they call setAttribute, yes?  So why are we blocking the 
setAttribute version?

Or are we just trying to block parser-triggered attribute sets and it 
happens to be hard to distinguish those from scripted attribute sets in 
some implementations?

> It's not entirely obvious to me where to draw the line as to what to
> block.  The spec draws it in an easy-to-define place

I still have to see a clear definition of the inline style behavior in 
this spec.  Everything I have seen so far has basically required 
reverse-engineering UAs to understand what the spec is trying to say.

Again, it would be easier to just spec that inline style is not applied, 
period.

-Boris
Received on Tuesday, 23 October 2012 02:31:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 23 October 2012 02:31:45 GMT