- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 5 Apr 2011 17:33:17 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: public-web-security@w3.org
On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 4/5/11 11:03 AM, Adam Barth wrote: >> Why doesn't style-src block inline style? What's the point of >> blocking external style sheets if the attacker can just open a <style> >> tag and add whatever styles he or she wants? > > currently style-src blocks external loads simply because they are > external loads (like 'font-src', which arguably could be merged with > style-src). In-line style isn't an XSS risk--in current browsers, > anyway--so we left that alone. Is messing with an element's style > much different from injecting other non-script HTML elements? > > The decision was somewhat arbitrary. What tipped it for me was that > XSS is such a scourge and our main target with CSP that I felt > justified in being a dictatorial jerk and blocking in-line script by > default; I couldn't quite argue that for style-src. I guess I don't understand the use case for blocking external style sheets but not inline style. Why would an author want to do that? Adam
Received on Wednesday, 6 April 2011 00:34:15 UTC