Re: CSP, style-src, and what it means to ignore style attributes

Would the following text answer these questions to your satisfaction?

@@ -791,16 +791,15 @@
           <code>style</code> element, instead the user agent <code>MUST</code>
           ignore the style.</li>

-          <li>Whenever the user agent would apply style from a
-          <code>style</code> attribute, instead the user agent
-          <code>MUST</code> ignore the style.</li>
+          <li>When determining the value for an element/CSS property
+          (care of Section 6.4.1 of [[!CSS21]]), the user agent
+          ignore declarations from <code>style</code> attributes (in
the sense of
+          the first bullet in Section 6.4.3 of [[!CSS21]]).</li>

         <p>Note: These restrictions on inline do not prevent the user agent
         from applying style from an external stylesheet (e.g., found via
-        <code>&lt;link rel="stylesheet"&gt;</code>). The user agent is also
-        not prevented from applying style from Cascading Style Sheets Object
-        Model (CSSOM). [[!CSSOM]]</p>
+        <code>&lt;link rel="stylesheet"&gt;</code>).</p>

         <p>Whenever the user agent <a

On Fri, Nov 2, 2012 at 2:29 AM, L. David Baron <> wrote:
> describes a mechanism through
> which a CSP directive can say that the user agent must ignore style
> from style attributes.  But it doesn't really say exactly what must
> be ignored, nor does it say at what level it must be ignored.
> It's not clear to me what the goal of this CSP feature is, that is,
> what the threat model is that it's trying to protect against.
> Without knowing that, it's not possible for me to review the patch
> to Mozilla to implement this feature in
> .
> I think the specification should describe what should be ignored in
> a way that answers the following questions (and others) in such a
> way that is consistent with the threat model that this CSP feature
> is designed to protect against:
>  (1) Is it acceptable to parse the contents of a style attribute and
>  then not apply the style, or must the contents not be parsed?
>  (2) Should other inline styles (such as background images specified
>  using presentational HTML attributes) be ignored at the same time?
>  (If the threat model has something to do with the ability to load
>  resources from style attributes, it would seem like the answer here
>  must be yes.)
>  (3) Should the user agent ignore only style attributes that are
>  present in the markup, or should other mechanisms that set style
>  attributes (e.g., access from script, SMIL animation)
>  also be blocked?
>  (4) Is it acceptable to load external resources referenced from
>  such a style attribute, as long as those resources aren't used (for
>  what definition of used)?
> -David
> --
> 𝄞   L. David Baron                  𝄂
> 𝄢   Mozilla                    𝄂

Received on Friday, 2 November 2012 17:31:11 UTC