Re: XSLT style sheets

On 4/6/11 11:42 PM, Adam Barth wrote:
> Which CSP directive should control XSLT style sheets?
> 
> style-src says:
> [[
> The style-src directive defines the list of sources that are permitted
> to load <link rel="stylesheet"> elements, or external stylesheets.
> ]]
> 
> Is an XSLT an external style sheet?
> 
> On the other had, they can be used to inject markup into the document,
> so maybe controlling them with script-src is more appropriate?  On yet
> a third hand, maybe the markup isn't that dangerous given that it's
> subject to the CSP policy?
> 
> Tentative recommendation: Control XSLT with style-src.  (Warning: I
> haven't though through this recommendation carefully.)

I just pushed a changeset that adds XSLT stylesheets to the style-src
directive:
https://dvcs.w3.org/hg/content-security-policy/rev/6f4cab889cb5

I agree that this makes the most sense semantically, and adds no real
XSS attack surface since any script (or other resources) that the
stylesheet adds will be subject to the "original" document's CSP.  I
suppose this last point should be made explicit in the spec.  I'll add
that to my issue tracker.

Cheers,
Brandon

Received on Friday, 10 June 2011 23:41:43 UTC