Re: CSP - 'unsafe-inline' for 'style-src' directive, actually unsafe? from David Bruant on 2012-03-20 (public-webappsec@w3.org from March 2012)

From: David Bruant <bruant.d@gmail.com>
Date: Tue, 20 Mar 2012 11:03:09 +0100
To: Adam Barth <w3c@adambarth.com>
CC: sec_ext <sec_ext@fb.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <4F6855DD.2090100@gmail.com>

Le 19/03/2012 23:25, Adam Barth a écrit :
> On Mon, Mar 19, 2012 at 2:48 PM, sec_ext<sec_ext@fb.com>  wrote:
>> In the CSP specification, it states "authors should not include
>> 'unsafe-inline' in their CSP policies if they wish to protect themselves
>> against XSS."
>>
>> It is not entirely clear how allowing inline CSS ('style-src
>> 'unsafe-inline';) can lead to XSS if you are blocking inline and external
>> JS (script-src none;)
>>
>> Will 'script-src none' not block JS attempts in CSS?
> CSP forbids any JavaScript from being included in CSS, regardless of
> what policy you use.
Sorry to ask if the question is stupid, but how do you include 
JavaScript in CSS? I've never heard of such a thing being possible.

David

Received on Tuesday, 20 March 2012 10:03:45 UTC