- From: sec_ext <sec_ext@fb.com>
- Date: Mon, 19 Mar 2012 21:48:02 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
In the CSP specification, it states "authors should not include
'unsafe-inline' in their CSP policies if they wish to protect themselves
against XSS."
It is not entirely clear how allowing inline CSS ('style-src
'unsafe-inline';) can lead to XSS if you are blocking inline and external
JS (script-src none;)
Will 'script-src none' not block JS attempts in CSS? Does it depend on how
the spec is implemented (per browser basis)? Or, does the spec need to be
re-worded to mention that the aforementioned sentence is only applicable
to the script-src directive?
Thanks
Received on Monday, 19 March 2012 21:48:31 UTC