Re: unsafe-inline for style-src from Adam Barth on 2012-09-19 (public-webappsec@w3.org from September 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 19 Sep 2012 13:19:03 -0700
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia8pO+O7DrSsxbcAkcu1XCB_=cbihu7Rx5gjgOWb--1quQ@mail.gmail.com>

On Tue, Sep 18, 2012 at 2:57 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> A question came up when implementing unsafe-inline for style-src.  The spec
> says:
>
> If 'unsafe-inline' is not in allowed style sources
>
> Whenever the user agent would apply style from a style element, instead the
> user agent must ignore the style.
> Whenever the user agent would apply style from a style attribute, instead
> the user agent must ignore the style.
>
> Note: These restrictions on inline do not prevent the user agent from
> applying style from an external stylesheet (e.g., found via <link
> rel="stylesheet">).
>
> If a style tag or style attributes are set in html, it is clearly a case of
> unsafe-inline.  But if styles are set in javascript (inline javascript or
> src'ed javascript), are they considered unsafe-inline?  Here are some
> examples we are unsure about:
>
> * doc.body.appendChild(doc.createElement("style"));
> * doc.body.setAttribute("style", "...");
> * doc.body.style.background = "...";
> * bgcolor attributes appearing in the markup
> * <font> elements appearing in the markup
> * doc.body.appendChild(doc.createElement("font"));
> * doc.body.bgcolor = "...";
> * doc.body.innerHTML = "<style>...</style>";
>
> How does WebKit handle these cases?  Our guess is that whenever a user agent
> applies css from a <style> tag or style attribute, it would be
> unsafe-inline.  That would mean, these cases would result in unsafe-inline
> that is blocked:
>
> * doc.body.appendChild(doc.createElement("style"));
> * doc.body.innerHTML = "<style>...</style>";
> * doc.body.setAttribute("style", "...");

My intent in writing that text was that manipulating the "style"
attribute via the DOM (e.g., setAttribute and friends) would be
blocked but that manipulating the styles via CSSOM would not be
blocked.

On Tue, Sep 18, 2012 at 5:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 9/18/12 6:40 PM, Mike West wrote:
>>> * doc.body.setAttribute("style", "...");
> ...
>>> * doc.body.style.background = "...";
>
> There is no functional different between those two.  Especially not if you
> actually consider:
>
>   doc.body.style.cssText = "....";

There isn't a functional difference, but there is a semantic
difference.  One is manipulating the DOM style attribute (which then
gets reflected in the styles themselves).  The other is manipulating
the styles themselves (which then gets reflected into the DOM style
attribute).

Adam

Received on Wednesday, 19 September 2012 20:20:02 UTC