W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 20 Sep 2012 10:19:42 -0700
Message-ID: <CAJE5ia-WFyDZf5aLSs89a8faPnBO4sN_0-s_U4SCU8SwR2C3QQ@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-webappsec@w3.org
On Wed, Sep 19, 2012 at 7:39 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 9/19/12 9:21 PM, Adam Barth wrote:
>> I should say that I don't really have a strong opinion here.  If
>> there's another semantics that you prefer strongly, I'm certainly open
>> to that.
>>
>> For authors, we should strive for the conceptually clearest semantics.
>> The concept I was going for was "don't use the style element or
>> attribute."  Maybe it's clearer to include the CSSOM as well?  There
>> isn't really a security benefit to blocking the CSSOM, so it seemed
>> simpler to allow it.
>
> Is there security benefit to blocking the style attribute?  Or is the real
> security benefit to blocking the style element and the attribute just came
> along for semantic clarity?

There are two risks that we're trying to mitigate:

1) CSS3 attribute selectors.  These are scary because they can be used
to extract information from the page, such as data typed into <input>
elements.  Blocking the <style> element is enough to mitigate this
risk.

2) Phishing.  If an attacker can inject elements into a page with
arbitrary style, the attacker can completely change the appearance of
the page and, for example, make the page show a login screen.  This
attack is more powerful than a traditional phishing attack because the
browser's location bar will still show the URL of the real web site
(including any EV indicators or whatnot).  To mitigate this risk, we
need to block both <style> and @style.

> From my point of view, for what it's worth, the semantics that make sense
> are "do not apply inline styles or styles from <style> elements".  The
> former would cover inline styles no matter how you set them, basically.

For reference, here's the current text from the spec:

---8<---
If 'unsafe-inline' is not in allowed style sources:

* Whenever the user agent would apply style from a style element,
instead the user agent must ignore the style.
* Whenever the user agent would apply style from a style attribute,
instead the user agent must ignore the style.

Note: These restrictions on inline do not prevent the user agent from
applying style from an external stylesheet (e.g., found via <link
rel="stylesheet">). The user agent is also not prevented from applying
style from Cascading Style Sheets Object Model (CSSOM). [CSSOM]
--->8---

Do you have a specific change to the text that you'd like to propose?

Adam
Received on Thursday, 20 September 2012 17:20:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 17:20:43 GMT