- From: sec_ext <sec_ext@fb.com>
- Date: Mon, 19 Mar 2012 21:48:02 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
In the CSP specification, it states "authors should not include 'unsafe-inline' in their CSP policies if they wish to protect themselves against XSS." It is not entirely clear how allowing inline CSS ('style-src 'unsafe-inline';) can lead to XSS if you are blocking inline and external JS (script-src none;) Will 'script-src none' not block JS attempts in CSS? Does it depend on how the spec is implemented (per browser basis)? Or, does the spec need to be re-worded to mention that the aforementioned sentence is only applicable to the script-src directive? Thanks
Received on Monday, 19 March 2012 21:48:31 UTC