- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 14 Jun 2011 09:49:31 -0700
- To: Brian Smith <bsmith@mozilla.com>
- CC: public-web-security@w3.org, Adam Barth <w3c@adambarth.com>
On 06/10/2011 04:57 PM, Brian Smith wrote: > Brandon Sterne wrote: >> I just pushed a changeset that adds XSLT stylesheets to the style-src >> directive: >> https://dvcs.w3.org/hg/content-security-policy/rev/6f4cab889cb5 > > How would CSP affect the document() function in XSLT, which can import nodes from external documents? > > CSS can change how a page is displayed, but XSLT actually changes the content of the page. XSLT is a turing-complete, though tedious, programming functional programming language. IIRC, there are various XSLT extensions that are potentially dangerous, but I don't know if any browsers implement them. XSLT seems much more like JavaScript than it is like CSS. > > If I were a content author, I would very much like to block all XSLT, completely, without having to block JS or CSS. > > Cheers, > Brian I spoke with Brian a bit more yesterday, and he convinced me that bucketing XSLT with style-src is a bad idea. Before we spoke, my feeling was that the increased capabilities of XSLT over CSS stylesheets were mitigated both by the fact they can only be used in XML documents, and that any content added by the XSLT would be subject to the document's CSP. The first mitigation will be of small comfort to XHTML pages or HTML pages that are well-formatted XML. The second mitigation doesn't fully account for changes to the DOM that XSL transforms are capable of and which might be unexpected by the transformed page. The XSL stylesheet can add and remove nodes that might affect the security properties of a page. XSLT could remove the script node, for instance, that was responsible for frame busting. So I think we either need to create a different category (xslt-src?) for XSL stylesheets, or lump them with script-src which sites will understand has a higher risk profile. Thoughts? Thanks, Brandon
Received on Tuesday, 14 June 2011 16:48:44 UTC