- From: L. David Baron <dbaron@dbaron.org>
- Date: Fri, 2 Nov 2012 10:29:28 +0100
- To: public-webappsec@w3.org
http://www.w3.org/TR/CSP/#style-src describes a mechanism through which a CSP directive can say that the user agent must ignore style from style attributes. But it doesn't really say exactly what must be ignored, nor does it say at what level it must be ignored. It's not clear to me what the goal of this CSP feature is, that is, what the threat model is that it's trying to protect against. Without knowing that, it's not possible for me to review the patch to Mozilla to implement this feature in https://bugzilla.mozilla.org/show_bug.cgi?id=763879 . I think the specification should describe what should be ignored in a way that answers the following questions (and others) in such a way that is consistent with the threat model that this CSP feature is designed to protect against: (1) Is it acceptable to parse the contents of a style attribute and then not apply the style, or must the contents not be parsed? (2) Should other inline styles (such as background images specified using presentational HTML attributes) be ignored at the same time? (If the threat model has something to do with the ability to load resources from style attributes, it would seem like the answer here must be yes.) (3) Should the user agent ignore only style attributes that are present in the markup, or should other mechanisms that set style attributes (e.g., element.style access from script, SMIL animation) also be blocked? (4) Is it acceptable to load external resources referenced from such a style attribute, as long as those resources aren't used (for what definition of used)? -David -- 𝄞 L. David Baron http://dbaron.org/ 𝄂 𝄢 Mozilla http://www.mozilla.org/ 𝄂
Received on Friday, 2 November 2012 09:29:55 UTC