CSP - 'unsafe-inline' for 'style-src' directive, actually unsafe?

In the CSP specification, it states "authors should not include
'unsafe-inline' in their CSP policies if they wish to protect themselves
against XSS."

It is not entirely clear how allowing inline CSS ('style-src
'unsafe-inline';) can lead to XSS if you are blocking inline and external
JS (script-src none;)

Will 'script-src none' not block JS attempts in CSS? Does it depend on how
the spec is implemented (per browser basis)? Or, does the spec need to be
re-worded to mention that the aforementioned sentence is only applicable
to the script-src directive?

Thanks





 

Received on Monday, 19 March 2012 21:48:31 UTC