- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 6 Apr 2011 23:42:13 -0700
- To: public-web-security@w3.org
Which CSP directive should control XSLT style sheets? style-src says: [[ The style-src directive defines the list of sources that are permitted to load <link rel="stylesheet"> elements, or external stylesheets. ]] Is an XSLT an external style sheet? On the other had, they can be used to inject markup into the document, so maybe controlling them with script-src is more appropriate? On yet a third hand, maybe the markup isn't that dangerous given that it's subject to the CSP policy? Tentative recommendation: Control XSLT with style-src. (Warning: I haven't though through this recommendation carefully.) Adam
Received on Thursday, 7 April 2011 06:43:12 UTC