- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Mon, 22 Oct 2012 22:17:28 +0000
- To: Ian Melven <imelven@mozilla.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jonas Sicking <jonas@sicking.cc>
Ian, can you join our call tomorrow at 2pm Pacific? Brad Hill Ecosystem Security PayPal Information Risk Management cell: 206.245.7844 / skype: hillbrad On Oct 22, 2012, at 3:04 PM, "Ian Melven" <imelven@mozilla.com> wrote: > > Hello, > > As part of our work to implement the CSP 1.0 spec in Gecko (https://bugzilla.mozilla.org/show_bug.cgi?id=663566), > we have been looking at what we need to do to block inline styles (https://bugzilla.mozilla.org/show_bug.cgi?id=763879) > > The reason for this post is that we need more discussion among the WG (and possible clearer guidance in the spec) as to what > threats blocking styles is intended to address and what threats are considered out of scope for this > restriction (eg if it's intended to stop data exfiltration). > > Additionally, we could really use clarification in the spec as to what methods of applying CSS should be blocked in a CSP 1.0 compliant UA > (and this would hopefully lead to more consistency across implementations). > > Previously on this mailing list, we discussed blocking mechanisms that apply CSS that > are equivalent to inserting and parsing a <style> node in the DOM. > > Specifically, we considered the following list of ways to apply CSS: > (from https://bugzilla.mozilla.org/show_bug.cgi?id=763879#c26) > > * doc.body.appendChild(doc.createElement("style")); > * doc.body.setAttribute("style", "..."); > * doc.body.style.background = "..."; > * bgcolor attributes appearing in the markup > * <font> elements appearing in the markup > * doc.body.appendChild(doc.createElement("font")); > * doc.body.bgcolor = "..."; > * doc.body.innerHTML = "<style>...</style>"; > > However, in https://bugzilla.mozilla.org/show_bug.cgi?id=763879#c33 Jonas points out: > > "The data-stealing attack described in the article below could be done using just element.style.background = ...; > > So while it might "feel" safer, it's arguably not. > > http://scarybeastsecurity.blogspot.com.es/2009/12/generic-cross-browser-cross-domain.html " > > There is more discussion in bug 763879 about what mechanisms in the above list are equivalent and what > the important distinction when evaluating these mechanisms is, and if basing it around if the > mechanism is equivalent to inserting a <style> node goes far enough - my personal opinion agrees with a > statement from Jonas : "The critical distinction isn't whether you have to call a JS function in > order to launch the attack. The distinction is whether that function parses strings into harmful content." > > Your thoughts are very welcome. > > thank you ! > ian > >
Received on Monday, 22 October 2012 22:17:58 UTC