Re: style-src and inline style from Collin Jackson on 2011-04-06 (public-web-security@w3.org from April 2011)

From: Collin Jackson <collin.jackson@sv.cmu.edu>
Date: Tue, 5 Apr 2011 18:29:53 -0700
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <BANLkTikGN+YAEHjqqSL+kQzVOxabn3ZDZA@mail.gmail.com>

Mitigating memory corruption does not strike me as a particularly
interesting use case for CSP. It is interesting to think about
attackers injecting and styling fake login forms, however.

On Tuesday, April 5, 2011, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> I don't have much experience of how browsers internally work, but
> Daniel's reply made me think that there is some attack surface for all
> `external loads,' which is why CSP default-denies all external loads,
> including CSS style files.
>
> =devdatta
>
> On 5 April 2011 17:51, Adam Barth <w3c@adambarth.com> wrote:
>> Even if I buy that, it seems like the memory corruption attack surface
>> from external style is almost exactly the same as with inline style.
>> You'd need to block both to get that benefit.
>>
>> Adam
>>
>>
>> On Tue, Apr 5, 2011 at 5:43 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> I think the external style file could be used for attacking the
>>> browser with some sort of memory corruption. It has nothing to do with
>>> XSS.
>>>
>>> Replace style with font in the above line and I think the possibility
>>> becomes more acute.
>>>
>>> -devdatta
>>>
>>> On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote:
>>>> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>>>> On 4/5/11 11:03 AM, Adam Barth wrote:
>>>>>> Why doesn't style-src block inline style?  What's the point of
>>>>>> blocking external style sheets if the attacker can just open a <style>
>>>>>> tag and add whatever styles he or she wants?
>>>>>
>>>>> currently style-src blocks external loads simply because they are
>>>>> external loads (like 'font-src', which arguably could be merged with
>>>>> style-src). In-line style isn't an XSS risk--in current browsers,
>>>>> anyway--so we left that alone. Is messing with an element's style
>>>>> much different from injecting other non-script HTML elements?
>>>>>
>>>>> The decision was somewhat arbitrary. What tipped it for me was that
>>>>> XSS is such a scourge and our main target with CSP that I felt
>>>>> justified in being a dictatorial jerk and blocking in-line script by
>>>>> default; I couldn't quite argue that for style-src.
>>>>
>>>> I guess I don't understand the use case for blocking external style
>>>> sheets but not inline style.  Why would an author want to do that?
>>>>
>>>> Adam
>>>>
>>>>
>>>
>>
>
>

Received on Wednesday, 6 April 2011 01:31:54 UTC