W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 20 Sep 2012 13:46:27 -0400
Message-ID: <505B5673.7090104@mit.edu>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org
On 9/20/12 1:19 PM, Adam Barth wrote:
> 1) CSS3 attribute selectors.  These are scary because they can be used
> to extract information from the page, such as data typed into <input>
> elements.  Blocking the <style> element is enough to mitigate this
> risk.

For now.  Until people add selectors to inline styles.  There have been 
several proposals for that.

(On a side note, it's not clear to me how attribute selectors would lead 
data typed into an <input>, unless the page has script stashing the data 
into an attribute somewhere....)

> 2) Phishing.  If an attacker can inject elements into a page with
> arbitrary style, the attacker can completely change the appearance of
> the page and, for example, make the page show a login screen.  This
> attack is more powerful than a traditional phishing attack because the
> browser's location bar will still show the URL of the real web site
> (including any EV indicators or whatnot).  To mitigate this risk, we
> need to block both <style> and @style.

Agreed.

> For reference, here's the current text from the spec:
>
> ---8<---
> If 'unsafe-inline' is not in allowed style sources:
>
> * Whenever the user agent would apply style from a style element,
> instead the user agent must ignore the style.
> * Whenever the user agent would apply style from a style attribute,
> instead the user agent must ignore the style.
>
> Note: These restrictions on inline do not prevent the user agent from
> applying style from an external stylesheet (e.g., found via <link
> rel="stylesheet">). The user agent is also not prevented from applying
> style from Cascading Style Sheets Object Model (CSSOM). [CSSOM]
> --->8---
>
> Do you have a specific change to the text that you'd like to propose?

Yes.  I think the second bullet point should be more like:

   * Whenever the user agent would apply style from a CSS declaration 
block that correspond's to an element's inline style the user agent must 
ignore the style.

It's still a bit weird because http://dev.w3.org/csswg/css-style-attr/ 
is all about syntax and then acting "as if" there were a rule but never 
comes out and says "there is a declaration block here".  The behavior I 
want would be a lot easier to define if it did...

Also, I'm still not sure what the "not prevented" bit quoted above about 
the CSSOM really means.  Does it mean that if I link an external 
stylesheet and then modify its CSSOM the modifications should affect the 
styles that sheet applied?  If so, agreed.  Does it mean that if I have 
a <style> element and then I modify its CSSOM the modifications should 
affect the styles applied by the sheet?  This one I'm not quite sure 
about...

-Boris
Received on Thursday, 20 September 2012 17:46:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 17:46:56 GMT