Re: CSP and inline styles from Boris Zbarsky on 2012-10-23 (public-webappsec@w3.org from October 2012)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 23 Oct 2012 09:26:20 -0400
To: public-webappsec@w3.org
Message-ID: <50869AFC.1080704@mit.edu>
On 10/23/12 1:40 AM, Adam Barth wrote:
> On Mon, Oct 22, 2012 at 7:31 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> We should just block all inline
>> style and be done with it, instead of worrying exactly how it was set.
>
> That's another place to draw the line.  Do you have spec text you'd
> like to propose for doing that?  It's easier for me to think about
> these sorts of changes with concrete text.

Sure.  How about:

   Declarations that come from style attributes, in the sense of CSS 2.1
   section 6.4.3 first bullet point, are not applied.

>> I still have to see a clear definition of the inline style behavior in this
>> spec.  Everything I have seen so far has basically required
>> reverse-engineering UAs to understand what the spec is trying to say.
>
> Can you explain what is unclear about the text that is currently in
> the spec?  I'm happy to improve the clarity of the requirements, but
> I'm not sure we agree about what behavior we're trying to specify.

OK.  For purposes of the following examples, assume that "doc" is a 
document with a CSP that has "style-src unsafe-inline" and that the 
scripts are running in the context of a different document which has no 
CSP applied.  It's not clear to me, from the spec's current language 
whether the styles are applied in these examples, because it's not clear 
to me what it really means by "from a style attribute" in terms of 
actual processing model.

So examples:

   // Example 1
   var el = document.createElement("span");
   el.setAttribute("style", "color: red;");
   doc.body.appendChild(el);

   // Example 2
   var el = document.createElement("span");
   el.style.color = "red";
   // Note that now both the CSSOM and the DOM of "el"
   // are the same as in example 1
   doc.body.appendChild(el);

   // Example 3
   var el = document.createElement("span");
   el.setAttribute("style", "background: purple;");
   el.style.color = "red";
   doc.body.appendChild(el);
   // Is the color applied?  Is the background?

Basically, the problem with the current spec language is that if the 
intent is that example 1 be blocked but examples 2 is not blocked then 
either you have to keep track of the provenance of each declaration (not 
acceptable to me) or the blocking happens at a particular point in time 
and is not a state.  But the spec does not clearly define what that 
point in time is, unfortunately.  Is it at the moment the setAttribute 
call happens (so that the styles in example 1 above would not be 
blocked), or something else?

If it's something else, then what exactly is supposed to happen in 
example 3?

Basically, what I want from the spec is to either define the blocking as 
a state function, so that it's possible to determine by examining the 
state of an element (its DOM, CSSOM, and any internal flags this 
specification defines) to determine whether style is applied, or to 
define an actual processing model if the behavior is order-of-operations 
dependent.

Does that make sense?

-Boris
Received on Tuesday, 23 October 2012 13:26:54 UTC