- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 7 Apr 2011 22:08:53 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: public-web-security@w3.org
On Thu, Apr 7, 2011 at 4:53 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 07.04.2011 08:42, Adam Barth wrote: >> >> Which CSP directive should control XSLT style sheets? >> >> style-src says: >> [[ >> The style-src directive defines the list of sources that are permitted >> to load<link rel="stylesheet"> elements, or external stylesheets. >> ]] >> >> Is an XSLT an external style sheet? >> >> On the other had, they can be used to inject markup into the document, >> so maybe controlling them with script-src is more appropriate? On yet >> ... > > Is "inject" the right term here? After all, applying XSLT yields a new > document, no? That's a somewhat zen question. The net result is that the XSLT gets to choose the DOM that executes in the document's original security context. Adam
Received on Friday, 8 April 2011 05:09:53 UTC