W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 19 Sep 2012 18:21:00 -0700
Message-ID: <CAJE5ia9ZNZTwD3EQox=4+tukDsEgwHPOaZPqQnj62NO0PQs0Gw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-webappsec@w3.org
On Wed, Sep 19, 2012 at 6:08 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 9/19/12 4:19 PM, Adam Barth wrote:
>> On Tue, Sep 18, 2012 at 5:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>>> On 9/18/12 6:40 PM, Mike West wrote:
>>>>>
>>>>> * doc.body.setAttribute("style", "...");
>>> ...
>>>>>
>>>>> * doc.body.style.background = "...";
>>>
>>> There is no functional different between those two.  Especially not if
>>> you
>>> actually consider:
>>>
>>>    doc.body.style.cssText = "....";
>>
>> There isn't a functional difference, but there is a semantic
>> difference.  One is manipulating the DOM style attribute (which then
>> gets reflected in the styles themselves).  The other is manipulating
>> the styles themselves (which then gets reflected into the DOM style
>> attribute).
>
> Yes, but in which case is this semantic difference something someone writing
> a CSP would care about, given that the resulting functionality is identical?

I should say that I don't really have a strong opinion here.  If
there's another semantics that you prefer strongly, I'm certainly open
to that.

For authors, we should strive for the conceptually clearest semantics.
 The concept I was going for was "don't use the style element or
attribute."  Maybe it's clearer to include the CSSOM as well?  There
isn't really a security benefit to blocking the CSSOM, so it seemed
simpler to allow it.

Adam
Received on Thursday, 20 September 2012 01:21:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 01:22:00 GMT