W3C home > Mailing lists > Public > www-style@w3.org > March 2013

CSP 1.0: Lax and strict CSS parsing rules

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 01 Mar 2013 19:15:56 +0100
To: public-webappsec@w3.org
Cc: www-style@w3.org
Message-ID: <etp1j81g0mn8usa1tb0o3q2efegj16u4lo@hive.bjoern.hoehrmann.de>
Hi,

  <http://www.w3.org/TR/2012/CR-CSP-20121115/#security-considerations>:

  The style-src directive restricts the locations from which the
  protected resource can load styles. However, if the user agent uses a
  lax CSS parsing algorithm, an attacker might be able to trick the user
agent into accepting malicious "style sheets" hosted by an otherwise 
  trustworthy origin.

  These attacks are similar to the CSS cross-origin data leakage attack 
  described by Chris Evans in 2009. User agents should defend against 
  both attacks using the same mechanism: stricter CSS parsing rules for 
  style sheets with improper MIME types.

I do not understand this text, starting with why user agents would load
non-text/css resources as style sheets into `style-src` restricted
documents. It does not say what web sites can do to proect against this
kind of attack, or how using "stricter parsing rules" is a defense for
the user agent. More importantly, I do not understand how to comply with
the "SHOULD" requirement here: what actually are these "stricter rules"?

regards,
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 1 March 2013 18:16:23 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:21:06 GMT