RE: XSLT style sheets from Hill, Brad on 2011-06-14 (public-web-security@w3.org from June 2011)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 14 Jun 2011 12:04:03 -0600
To: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>
CC: Brian Smith <bsmith@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB54F6A5DA98@DEN-MEXMS-001.corp.ebay.com>

Agreed, XSLT == script.  XSLT as an XSS vector has been around for a while now. (here's an OSVDB entry from 2005: http://osvdb.org/20980)  I used to find it all the time in sites that allowed user-specified stylesheets to adapt content to, e.g. mobile devices.  It is probably not used more often only because traditional JS-based XSS is so reliable in most cases.  If CSP starts changing that, the adaptation to XSLT will likely follow.  

I'm also concerned here that the XSLTProcessor.importStylesheet() appears to allow the stylesheet to be loaded from any DOM node, including in the current document?  This is equivalent to an inline <script> block and would also have to be subject to the same CSP restrictions that inline script is.

-Brad

-----Original Message-----
From: public-web-security-request@w3.org [mailto:public-web-security-request@w3.org] On Behalf Of Brandon Sterne
Sent: Tuesday, June 14, 2011 10:33 AM
To: Adam Barth
Cc: Brian Smith; public-web-security@w3.org
Subject: Re: XSLT style sheets

On 06/14/2011 10:10 AM, Adam Barth wrote:
>> So I think we either need to create a different category (xslt-src?) 
>> for XSL stylesheets, or lump them with script-src which sites will 
>> understand has a higher risk profile.  Thoughts?
> 
> I'd lump them in with script-src.  The problem is that they're 
> somewhat obscure and authors aren't going to understand the security 
> implications.  If you and I didn't get it right the first time, what 
> chance do author's have?
> 
> Adam

Okay, this sounds fine.  Giorio seems to agree.  I'll wait to see if there are objections, otherwise I'll make this change.  It is troubling that some of these technologies are so poorly understood, even by us "experts". I think putting XSLT with script-src has the advantage that most users will understand that trusting a site to serve script has a high amount of risk, and any risk aversion will automatically transfer to XSLT as well.  This would not be the case if we created xslt-src, which most sites would be unlikely to specify, and could inadvertently permit this functionality through default-src.

Cheers,
Brandon

Received on Tuesday, 14 June 2011 18:04:34 UTC