Re: XSLT style sheets from Giorgio Maone on 2011-06-14 (public-web-security@w3.org from June 2011)

From: Giorgio Maone <g.maone@informaction.com>
Date: Tue, 14 Jun 2011 19:14:17 +0200
To: Brandon Sterne <bsterne@mozilla.com>
CC: Brian Smith <bsmith@mozilla.com>, public-web-security@w3.org, Adam Barth <w3c@adambarth.com>
Message-ID: <4DF796E9.8070500@informaction.com>

> lump them with script-src which sites will
> understand has a higher risk profile.  Thoughts?

FWIW, NoScript has been applying the same policy to XSLT and scripts for more
than two years (more specifically, stylesheets are blocked unless they’re from
a trusted source and their parent document is trusted as well).

Incidentally, this topic is getting some attention in security talks lately,
e.g. http://www.hackinparis.com/talk-offensive-xslt

-- G


Brandon Sterne wrote, On 14/06/2011 18.49:
> On 06/10/2011 04:57 PM, Brian Smith wrote:
>> Brandon Sterne wrote:
>>> I just pushed a changeset that adds XSLT stylesheets to the style-src
>>> directive:
>>> https://dvcs.w3.org/hg/content-security-policy/rev/6f4cab889cb5
>>
>> How would CSP affect the document() function in XSLT, which can import nodes from external documents?
>>
>> CSS can change how a page is displayed, but XSLT actually changes the content of the page. XSLT is a turing-complete, though tedious, programming functional programming language. IIRC, there are various XSLT extensions that are potentially dangerous, but I don't know if any browsers implement them. XSLT seems much more like JavaScript than it is like CSS. 
>>
>> If I were a content author, I would very much like to block all XSLT, completely, without having to block JS or CSS.
>>
>> Cheers,
>> Brian
> 
> I spoke with Brian a bit more yesterday, and he convinced me that
> bucketing XSLT with style-src is a bad idea.  Before we spoke, my
> feeling was that the increased capabilities of XSLT over CSS stylesheets
> were mitigated both by the fact they can only be used in XML documents,
> and that any content added by the XSLT would be subject to the
> document's CSP.  The first mitigation will be of small comfort to XHTML
> pages or HTML pages that are well-formatted XML.  The second mitigation
> doesn't fully account for changes to the DOM that XSL transforms are
> capable of and which might be unexpected by the transformed page.  The
> XSL stylesheet can add and remove nodes that might affect the security
> properties of a page.  XSLT could remove the script node, for instance,
> that was responsible for frame busting.
> 
> So I think we either need to create a different category (xslt-src?) for
> XSL stylesheets, or lump them with script-src which sites will
> understand has a higher risk profile.  Thoughts?
> 
> Thanks,
> Brandon
>

Received on Tuesday, 14 June 2011 17:14:47 UTC