Re: style-src and inline style from Adam Barth on 2011-04-06 (public-web-security@w3.org from April 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 6 Apr 2011 01:02:49 -0700
To: gaz Heyes <gazheyes@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <BANLkTik6-y_4vhnWehpF0d7Uuuzbbufh+A@mail.gmail.com>

On Wed, Apr 6, 2011 at 1:00 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 6 April 2011 01:33, Adam Barth <w3c@adambarth.com> wrote:
>> I guess I don't understand the use case for blocking external style
>> sheets but not inline style.  Why would an author want to do that?
>
> +1
>
> Even if we ignore the XSS threat from style, we don't want an attacker to be
> able to inject:-
> <div style="background:url(//banking?transfer=1337&account=12345)"></div>

That specific case would be controlled by img-src.  Of course, a@href
isn't controlled by CSP, which means the attacker can always mount a
CSRF attack, but that's out of scope.

Adam

Received on Wednesday, 6 April 2011 08:03:49 UTC