W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

unsafe-inline for style-src

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 18 Sep 2012 14:57:12 -0700
Message-ID: <5058EE38.9020501@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
A question came up when implementing unsafe-inline for style-src. The 
spec says:

/If //|'unsafe-inline'|//is //*not*//in /allowed style sources

  * /Whenever the user agent would apply style from a
    //|style|//element, instead the user agent //|/must/|//ignore the
    style./
  * /Whenever the user agent would apply style from a
    //|style|//attribute, instead the user agent //|/must/|//ignore the
    style./

/Note: These restrictions on inline do not prevent the user agent from 
applying style from an external stylesheet (e.g., found via //|<link 
rel="stylesheet">|//). /

If a style tag or style attributes are set in html, it is clearly a case 
of unsafe-inline.  But if styles are set in javascript (inline 
javascript or src'ed javascript), are they considered unsafe-inline?  
Here are some examples we are unsure about:

* doc.body.appendChild(doc.createElement("style"));
* doc.body.setAttribute("style", "...");
* doc.body.style.background = "...";
* bgcolor attributes appearing in the markup
* <font> elements appearing in the markup
* doc.body.appendChild(doc.createElement("font"));
* doc.body.bgcolor = "...";
* doc.body.innerHTML = "<style>...</style>";

How does WebKit handle these cases?  Our guess is that whenever a user 
agent applies css from a <style> tag or style attribute, it would be 
unsafe-inline.  That would mean, these cases would result in 
unsafe-inline that is blocked:

* doc.body.appendChild(doc.createElement("style"));
* doc.body.innerHTML = "<style>...</style>";
* doc.body.setAttribute("style", "...");

Thanks!

~Tanvi
Received on Tuesday, 18 September 2012 21:57:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 September 2012 21:57:40 GMT