- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 19 Mar 2012 15:25:50 -0700
- To: sec_ext <sec_ext@fb.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 19, 2012 at 2:48 PM, sec_ext <sec_ext@fb.com> wrote: > In the CSP specification, it states "authors should not include > 'unsafe-inline' in their CSP policies if they wish to protect themselves > against XSS." > > It is not entirely clear how allowing inline CSS ('style-src > 'unsafe-inline';) can lead to XSS if you are blocking inline and external > JS (script-src none;) > > Will 'script-src none' not block JS attempts in CSS? CSP forbids any JavaScript from being included in CSS, regardless of what policy you use. > Does it depend on how the spec is implemented (per browser basis)? As far as I know, all modern browsers have already removed the ability to run script from CSS. > Or, does the spec need to be > re-worded to mention that the aforementioned sentence is only applicable > to the script-src directive? There is a security risk to letting folks inject CSS into your document, albeit a smaller risk than letting them inject script. There was a nice talk at Black Hat a couple years ago that talked about the kinds of things an attacker can do by injecting only CSS. For example, using attribute selectors and background images, the attacker might be able to learn the value of form fields, including password fields. It's mostly a question of your risk tolerance. There's a large security benefit to locking down script-src and object-src. There's a smaller security benefit to locking down style-src. We should update the spec to have some more nuanced text on this topic. Adam
Received on Monday, 19 March 2012 22:26:51 UTC