- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 05 Apr 2011 17:07:23 -0700
- To: public-web-security@w3.org
On 4/5/11 11:03 AM, Adam Barth wrote: > Why doesn't style-src block inline style? What's the point of > blocking external style sheets if the attacker can just open a <style> > tag and add whatever styles he or she wants? currently style-src blocks external loads simply because they are external loads (like 'font-src', which arguably could be merged with style-src). In-line style isn't an XSS risk--in current browsers, anyway--so we left that alone. Is messing with an element's style much different from injecting other non-script HTML elements? The decision was somewhat arbitrary. What tipped it for me was that XSS is such a scourge and our main target with CSP that I felt justified in being a dictatorial jerk and blocking in-line script by default; I couldn't quite argue that for style-src. -Dan Veditz
Received on Wednesday, 6 April 2011 00:07:59 UTC