Re: style-src and inline style from Brandon Sterne on 2011-04-14 (public-web-security@w3.org from April 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Thu, 14 Apr 2011 13:51:28 -0700
To: Collin Jackson <collin.jackson@sv.cmu.edu>
CC: Adam Barth <w3c@adambarth.com>, Bil Corry <bil@corry.biz>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <4DA75E50.6060909@mozilla.com>

On 4/11/11 11:19 AM, Brandon Sterne wrote:
> On 4/7/11 9:17 AM, Collin Jackson wrote:
>> I'd like to suggest option 3, which is to block inline styles by default
>> only if a style-src directive is present (authors can use style-src
>> 'inline' if they want to use style-src with inline styles).
>>  
>> Attaching default blocking behaviors to specific directives rather than
>> to the entirety of CSP makes the spec more extensible and allows us to
>> support a variety of use cases while still keeping policies simple.
> 
> I think this is the best solution offered so far.  If there are no
> objections, I'll make this change to the spec draft as well.

I'm in the process of making this change, and I'm wondering how best to
extend this to be consistent with script-src.

The proposal is to disable inline style when style-src is present and
only allow it when the 'inline' keyword is added to style-src.

For script-src, however, adding the 'inline' keyword to script-src is
less desirable than the disable-xss-protection options token we had
previously (from the standpoint of conveying sufficient caution when
enabling inline script).  One option would be to change 'inline' to
'inline-style' that only has an effect when declared inside style-src,
and have a different keyword for inline script, potentially keeping
'disable-xss-protection'.  Yes, that would be less consistent
syntactically, but it would preserve the "Foot Gun Here" element.

Separately, it's somewhat less elegant to say that inline script is
disabled when any of:

  1. script-src
  2. object-src
  3. ...

are present (rather than the single style-src directive), but I haven't
really heard a better suggestion so far.  Should this list be hard
coded, or should it be defined in terms of "content loading directives
that can lead to script execution"?  Of course this list only has two
items presently, but one could imaging the introduction of a new scripty
browser feature that would need to be added to the list in the future.

I have most of this change mapped out, but I'll wait to hear back from a
few folks on this second issue before I push anything out.

Thanks,
Brandon

Received on Thursday, 14 April 2011 20:51:57 UTC