W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Apr 2011 17:51:10 -0700
Message-ID: <BANLkTinpeVyNwokOQedFvKzuqPWp2E0EcA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Even if I buy that, it seems like the memory corruption attack surface
from external style is almost exactly the same as with inline style.
You'd need to block both to get that benefit.


On Tue, Apr 5, 2011 at 5:43 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> I think the external style file could be used for attacking the
> browser with some sort of memory corruption. It has nothing to do with
> XSS.
> Replace style with font in the above line and I think the possibility
> becomes more acute.
> -devdatta
> On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote:
>> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>> On 4/5/11 11:03 AM, Adam Barth wrote:
>>>> Why doesn't style-src block inline style?  What's the point of
>>>> blocking external style sheets if the attacker can just open a <style>
>>>> tag and add whatever styles he or she wants?
>>> currently style-src blocks external loads simply because they are
>>> external loads (like 'font-src', which arguably could be merged with
>>> style-src). In-line style isn't an XSS risk--in current browsers,
>>> anyway--so we left that alone. Is messing with an element's style
>>> much different from injecting other non-script HTML elements?
>>> The decision was somewhat arbitrary. What tipped it for me was that
>>> XSS is such a scourge and our main target with CSP that I felt
>>> justified in being a dictatorial jerk and blocking in-line script by
>>> default; I couldn't quite argue that for style-src.
>> I guess I don't understand the use case for blocking external style
>> sheets but not inline style.  Why would an author want to do that?
>> Adam
Received on Wednesday, 6 April 2011 00:52:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC