W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP and inline styles

From: Ian Melven <imelven@mozilla.com>
Date: Mon, 31 Dec 2012 16:09:39 -0800 (PST)
To: Yoav Weiss <yoav@yoav.ws>
Cc: public-webappsec@w3.org, Mike West <mkwst@google.com>
Message-ID: <429822327.4034153.1356998979645.JavaMail.root@mozilla.com> 

Hi Yoav,

----- Original Message -----
From: "Yoav Weiss" <yoav@yoav.ws>
To: "Mike West" <mkwst@google.com>
Cc: public-webappsec@w3.org
Sent: Sunday, December 30, 2012 3:01:48 PM
Subject: Re: CSP and inline styles


> A different random thought - correct me if I'm wrong but there are 3 main dangers from injected styles: 
> * "javascript:" scheme URL or equivalent "data:" URIs 
> * "expression()" - Not sure it is still relevant past IE8 
> * Defacing 

we discussed this a little while ago and other threats were mentioned :

* using CSS selectors to steal passwords
(http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0052.html)

* phone home/exfiltration attacks
these can be blocked by using appropriate img-src and font-src directives (falling back
to (what is hopefully) a strict default-src) 

I think there's at least some level of consensus that preventing defacement is not a goal for CSP. 

thanks,
ian
Received on Tuesday, 1 January 2013 00:10:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 January 2013 00:10:07 GMT