W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: style-src and inline style

From: <sird@rckc.at>
Date: Tue, 5 Apr 2011 20:29:41 -0500
Message-ID: <BANLkTinmMKu-dOM-tyvs6QhqcpEpsdby7w@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
If styles are not blocked by CSP, you can make XSS attacks without JS,
I always thought that was why CSP blocked all external requests..

Though, in this case it doesn't make much sense so I'm not even sure
of that, but it does makes sense for img-src and etc..

-- Eduardo

On Tue, Apr 5, 2011 at 8:01 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> I don't have much experience of how browsers internally work, but
> Daniel's reply made me think that there is some attack surface for all
> `external loads,' which is why CSP default-denies all external loads,
> including CSS style files.
> =devdatta
> On 5 April 2011 17:51, Adam Barth <w3c@adambarth.com> wrote:
>> Even if I buy that, it seems like the memory corruption attack surface
>> from external style is almost exactly the same as with inline style.
>> You'd need to block both to get that benefit.
>> Adam
>> On Tue, Apr 5, 2011 at 5:43 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> I think the external style file could be used for attacking the
>>> browser with some sort of memory corruption. It has nothing to do with
>>> XSS.
>>> Replace style with font in the above line and I think the possibility
>>> becomes more acute.
>>> -devdatta
>>> On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote:
>>>> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>>>> On 4/5/11 11:03 AM, Adam Barth wrote:
>>>>>> Why doesn't style-src block inline style?  What's the point of
>>>>>> blocking external style sheets if the attacker can just open a <style>
>>>>>> tag and add whatever styles he or she wants?
>>>>> currently style-src blocks external loads simply because they are
>>>>> external loads (like 'font-src', which arguably could be merged with
>>>>> style-src). In-line style isn't an XSS risk--in current browsers,
>>>>> anyway--so we left that alone. Is messing with an element's style
>>>>> much different from injecting other non-script HTML elements?
>>>>> The decision was somewhat arbitrary. What tipped it for me was that
>>>>> XSS is such a scourge and our main target with CSP that I felt
>>>>> justified in being a dictatorial jerk and blocking in-line script by
>>>>> default; I couldn't quite argue that for style-src.
>>>> I guess I don't understand the use case for blocking external style
>>>> sheets but not inline style.  Why would an author want to do that?
>>>> Adam
Received on Wednesday, 6 April 2011 01:30:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC