- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 14 Apr 2011 15:38:53 -0700
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: Collin Jackson <collin.jackson@sv.cmu.edu>, Bil Corry <bil@corry.biz>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On Thu, Apr 14, 2011 at 1:51 PM, Brandon Sterne <bsterne@mozilla.com> wrote: > On 4/11/11 11:19 AM, Brandon Sterne wrote: >> On 4/7/11 9:17 AM, Collin Jackson wrote: >>> I'd like to suggest option 3, which is to block inline styles by default >>> only if a style-src directive is present (authors can use style-src >>> 'inline' if they want to use style-src with inline styles). >>> >>> Attaching default blocking behaviors to specific directives rather than >>> to the entirety of CSP makes the spec more extensible and allows us to >>> support a variety of use cases while still keeping policies simple. >> >> I think this is the best solution offered so far. If there are no >> objections, I'll make this change to the spec draft as well. > > I'm in the process of making this change, and I'm wondering how best to > extend this to be consistent with script-src. > > The proposal is to disable inline style when style-src is present and > only allow it when the 'inline' keyword is added to style-src. > > For script-src, however, adding the 'inline' keyword to script-src is > less desirable than the disable-xss-protection options token we had > previously (from the standpoint of conveying sufficient caution when > enabling inline script). One option would be to change 'inline' to > 'inline-style' that only has an effect when declared inside style-src, > and have a different keyword for inline script, potentially keeping > 'disable-xss-protection'. Yes, that would be less consistent > syntactically, but it would preserve the "Foot Gun Here" element. > > Separately, it's somewhat less elegant to say that inline script is > disabled when any of: > > 1. script-src > 2. object-src > 3. ... > > are present (rather than the single style-src directive), but I haven't > really heard a better suggestion so far. One option is to say that inline script is disabled when script-src is present (i.e., not triggering that restriction on object-src). The thought process is that you can't tell the "src" of inline script, so script-src should block it. Adam > Should this list be hard > coded, or should it be defined in terms of "content loading directives > that can lead to script execution"? Of course this list only has two > items presently, but one could imaging the introduction of a new scripty > browser feature that would need to be added to the list in the future. > > I have most of this change mapped out, but I'll wait to hear back from a > few folks on this second issue before I push anything out. > > Thanks, > Brandon >
Received on Thursday, 14 April 2011 22:39:55 UTC