Re: style-src and inline style from gaz Heyes on 2011-04-06 (public-web-security@w3.org from April 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 6 Apr 2011 09:48:21 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <BANLkTi=zeDZb3u=UsCDtO5-Vobwn5gL6dQ@mail.gmail.com>

On 6 April 2011 09:02, Adam Barth <w3c@adambarth.com> wrote:

> That specific case would be controlled by img-src.  Of course, a@href
> isn't controlled by CSP, which means the attacker can always mount a
> CSRF attack, but that's out of scope.
>

Ok so CSP allows <style> blocks? Then maybe disabling vendor specific
functionality could be a good option (-o-link etc) but then we have CSS
overlay problem, if I can inject inline styles then we can replace the site
UI with something unexpected. I think Adam is right here inline styles are
as much as a problem as inline script IMO.

Received on Wednesday, 6 April 2011 08:48:48 UTC