Re: style-src and inline style from Brandon Sterne on 2011-04-06 (public-web-security@w3.org from April 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 06 Apr 2011 12:56:46 -0700
To: Collin Jackson <collin.jackson@sv.cmu.edu>
CC: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <4D9CC57E.9010606@mozilla.com>

On 04/06/2011 12:33 PM, Collin Jackson wrote:
> 
> 
> On Wed, Apr 6, 2011 at 11:40 AM, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
> 
>     Personally, I think consistency is desirable, but not if it makes the
>     work of CSP server implementors necessarily hard ("now go remove all
>     instances of inline style") for limited benefit.
> 
> 
> Presumably most authors are not going to use style-src since it doesn't
> solve any XSS problems. Blocking inline styles for people who do use
> style-src seems both consistent and desirable.

What about a secure site that only wants to load their stylesheet over
TLS?  It is asking them to do quite a lot of work if we require they
remove all inline CSS.

-Brandon

Received on Wednesday, 6 April 2011 19:54:12 UTC