Re: style-src and inline style from sird@rckc.at on 2011-04-06 (public-web-security@w3.org from April 2011)

From: <sird@rckc.at>
Date: Tue, 5 Apr 2011 20:57:08 -0500
To: Collin Jackson <collin.jackson@sv.cmu.edu>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <BANLkTikGiGwYgVKAMd77ikQybmZxNew4+w@mail.gmail.com>

> If course, if you're talking about CSS3 shenanigans, then that's a
> horse of a different color.
Right, I'm talking about selectors, and about half-opened HTML tags.

-- Eduardo




On Tue, Apr 5, 2011 at 8:29 PM, Collin Jackson
<collin.jackson@sv.cmu.edu> wrote:
> Mitigating memory corruption does not strike me as a particularly
> interesting use case for CSP. It is interesting to think about
> attackers injecting and styling fake login forms, however.
>
> On Tuesday, April 5, 2011, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> I don't have much experience of how browsers internally work, but
>> Daniel's reply made me think that there is some attack surface for all
>> `external loads,' which is why CSP default-denies all external loads,
>> including CSS style files.
>>
>> =devdatta
>>
>> On 5 April 2011 17:51, Adam Barth <w3c@adambarth.com> wrote:
>>> Even if I buy that, it seems like the memory corruption attack surface
>>> from external style is almost exactly the same as with inline style.
>>> You'd need to block both to get that benefit.
>>>
>>> Adam
>>>
>>>
>>> On Tue, Apr 5, 2011 at 5:43 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>> I think the external style file could be used for attacking the
>>>> browser with some sort of memory corruption. It has nothing to do with
>>>> XSS.
>>>>
>>>> Replace style with font in the above line and I think the possibility
>>>> becomes more acute.
>>>>
>>>> -devdatta
>>>>
>>>> On 5 April 2011 17:33, Adam Barth <w3c@adambarth.com> wrote:
>>>>> On Tue, Apr 5, 2011 at 5:07 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>>>>> On 4/5/11 11:03 AM, Adam Barth wrote:
>>>>>>> Why doesn't style-src block inline style?  What's the point of
>>>>>>> blocking external style sheets if the attacker can just open a <style>
>>>>>>> tag and add whatever styles he or she wants?
>>>>>>
>>>>>> currently style-src blocks external loads simply because they are
>>>>>> external loads (like 'font-src', which arguably could be merged with
>>>>>> style-src). In-line style isn't an XSS risk--in current browsers,
>>>>>> anyway--so we left that alone. Is messing with an element's style
>>>>>> much different from injecting other non-script HTML elements?
>>>>>>
>>>>>> The decision was somewhat arbitrary. What tipped it for me was that
>>>>>> XSS is such a scourge and our main target with CSP that I felt
>>>>>> justified in being a dictatorial jerk and blocking in-line script by
>>>>>> default; I couldn't quite argue that for style-src.
>>>>>
>>>>> I guess I don't understand the use case for blocking external style
>>>>> sheets but not inline style.  Why would an author want to do that?
>>>>>
>>>>> Adam
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
>
>

Received on Wednesday, 6 April 2011 01:57:56 UTC