W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: unsafe-inline for style-src

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 20 Sep 2012 14:04:21 -0400
Message-ID: <505B5AA5.70608@mit.edu>
To: Mike West <mkwst@google.com>
CC: Adam Barth <w3c@adambarth.com>, public-webappsec@w3.org
On 9/20/12 1:56 PM, Mike West wrote:
> On Thu, Sep 20, 2012 at 7:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> For now.  Until people add selectors to inline styles.  There have been
>> several proposals for that.
>
> Hrm. That sounds weird.
>
> Link? I'm morbidly curious. :)

I'd have to search... it was on the public-html or whatwg list.

>> (On a side note, it's not clear to me how attribute selectors would lead
>> data typed into an <input>, unless the page has script stashing the data
>> into an attribute somewhere....)
>
> I just came across
> http://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf,
> which describes some interesting scriptless attack vectors. Section
> 3.1 bullet 3 and following has good detail on CSS3 in particular.

Sure.  There's all sorts of interesting stuff you can do with CSS, and I 
totally agree that you want to block it in many cases to avoid those 
things.  My side note was very specifically about the quoted combination 
of "attribute selector" and "leak data typed into an <input>", because 
that part is non-obvious to me.

-Boris
Received on Thursday, 20 September 2012 18:04:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 18:04:51 GMT