Re: XSLT style sheets

Brandon Sterne wrote:
> On 4/6/11 11:42 PM, Adam Barth wrote:
> > Tentative recommendation: Control XSLT with style-src. (Warning: I
> > haven't though through this recommendation carefully.)
> I just pushed a changeset that adds XSLT stylesheets to the style-src
> directive:
> I agree that this makes the most sense semantically, and adds no real
> XSS attack surface since any script (or other resources) that the
> stylesheet adds will be subject to the "original" document's CSP. I
> suppose this last point should be made explicit in the spec. I'll add
> that to my issue tracker.

How would CSP affect the document() function in XSLT, which can import nodes from external documents?

CSS can change how a page is displayed, but XSLT actually changes the content of the page. XSLT is a turing-complete, though tedious, programming functional programming language. IIRC, there are various XSLT extensions that are potentially dangerous, but I don't know if any browsers implement them. XSLT seems much more like JavaScript than it is like CSS. 

If I were a content author, I would very much like to block all XSLT, completely, without having to block JS or CSS.


Received on Tuesday, 14 June 2011 00:37:10 UTC