W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Mike West <mkwst@google.com>
Date: Wed, 19 Sep 2012 00:40:00 +0200
Message-ID: <CAKXHy=eqbzTxj=KH6oBtH6W_nOsD8J47062AoS21-xn7p2JfdQ@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Good questions!

On Tue, Sep 18, 2012 at 11:57 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:

> * doc.body.appendChild(doc.createElement("style"));
> * doc.body.setAttribute("style", "...");
> * doc.body.innerHTML = "<style>...</style>";

These are blocked in WebKit if 'unsafe-inline' isn't whitelisted.

> * doc.body.style.background = "...";
> * doc.body.bgcolor = "...";
> * doc.body.appendChild(doc.createElement("font"));
> * bgcolor attributes appearing in the markup
> * <font> elements appearing in the markup

These are not blocked in WebKit at the moment. The latter three
possibly should be, as they actually touch the DOM, the first two
probably shouldn't be. I don't have a good argument as to why they're
different, other than the general feel that they're more JavaScript
than style...

It should be clarified in the spec, but I'm not sure there's really
much practical impact either way. There's much less that an attacker
can do with a font element than she can do with arbitrary style
properties.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 18 September 2012 22:40:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 September 2012 22:40:51 GMT