W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 19 Sep 2012 22:39:18 -0400
Message-ID: <505A81D6.3050803@mit.edu>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org
On 9/19/12 9:21 PM, Adam Barth wrote:
> I should say that I don't really have a strong opinion here.  If
> there's another semantics that you prefer strongly, I'm certainly open
> to that.
>
> For authors, we should strive for the conceptually clearest semantics.
>   The concept I was going for was "don't use the style element or
> attribute."  Maybe it's clearer to include the CSSOM as well?  There
> isn't really a security benefit to blocking the CSSOM, so it seemed
> simpler to allow it.

Is there security benefit to blocking the style attribute?  Or is the 
real security benefit to blocking the style element and the attribute 
just came along for semantic clarity?

 From my point of view, for what it's worth, the semantics that make 
sense are "do not apply inline styles or styles from <style> elements". 
  The former would cover inline styles no matter how you set them, 
basically.

-Boris
Received on Thursday, 20 September 2012 02:39:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 02:39:49 GMT