Re: style-src and inline style from Brandon Sterne on 2011-04-15 (public-web-security@w3.org from April 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 15 Apr 2011 13:47:28 -0700
To: Collin Jackson <collin.jackson@sv.cmu.edu>
CC: Adam Barth <w3c@adambarth.com>, Bil Corry <bil@corry.biz>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <4DA8AEE0.9000908@mozilla.com>

On 4/14/11 2:48 PM, Collin Jackson wrote:
> On Thu, Apr 14, 2011 at 8:51 PM, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
>     For script-src, however, adding the 'inline' keyword to script-src is
>     less desirable than the disable-xss-protection options token we had
>     previously (from the standpoint of conveying sufficient caution when
>     enabling inline script).  One option would be to change 'inline' to
>     'inline-style' that only has an effect when declared inside style-src,
>     and have a different keyword for inline script, potentially keeping
>     'disable-xss-protection'.  Yes, that would be less consistent
>     syntactically, but it would preserve the "Foot Gun Here" element.
> 
> 
> A few alternatives (not sure if they're better, but just throwing them
> out there):
> 
> * Use the keyword "unsafe-inline" instead of "inline." Is that scary
> sounding enough?
> * Ignore the keyword "inline" unless the disable-xss-protection
> directive is present. Authors would need to use both
> disable-xss-protection and script-src inline if they want to allow
> inline script with a script-src directive present.

Okay, so inline style is now disabled by default when style-src is
declared.  I just pushed this change:
https://dvcs.w3.org/hg/content-security-policy/rev/96e6025b286f

which incorporates the first alternative Collin listed above but
preserves the option to do the second if we decide that's the way we
want to go.  See:
https://dvcs.w3.org/hg/content-security-policy/rev/96e6025b286f#l1.189

On 4/14/11 3:38 PM, Adam Barth wrote:
> On Thu, Apr 14, 2011 at 1:51 PM, Brandon Sterne <bsterne@mozilla.com>
wrote:
>> Separately, it's somewhat less elegant to say that inline script is
>> disabled when any of:
>>
>>  1. script-src
>>  2. object-src
>>  3. ...
>>
>> are present (rather than the single style-src directive), but I haven't
>> really heard a better suggestion so far.
>
> One option is to say that inline script is disabled when script-src is
> present (i.e., not triggering that restriction on object-src).  The
> thought process is that you can't tell the "src" of inline script, so
> script-src should block it.
>
> Adam

This still feels unresolved, so I added an "Issue" to track this:
https://dvcs.w3.org/hg/content-security-policy/rev/96e6025b286f#l1.159

Cheers,
Brandon

Received on Friday, 15 April 2011 20:48:00 UTC