- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Tue, 18 Sep 2012 14:57:12 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <5058EE38.9020501@mozilla.com>
A question came up when implementing unsafe-inline for style-src. The
spec says:
/If //|'unsafe-inline'|//is //*not*//in /allowed style sources
* /Whenever the user agent would apply style from a
//|style|//element, instead the user agent //|/must/|//ignore the
style./
* /Whenever the user agent would apply style from a
//|style|//attribute, instead the user agent //|/must/|//ignore the
style./
/Note: These restrictions on inline do not prevent the user agent from
applying style from an external stylesheet (e.g., found via //|<link
rel="stylesheet">|//). /
If a style tag or style attributes are set in html, it is clearly a case
of unsafe-inline. But if styles are set in javascript (inline
javascript or src'ed javascript), are they considered unsafe-inline?
Here are some examples we are unsure about:
* doc.body.appendChild(doc.createElement("style"));
* doc.body.setAttribute("style", "...");
* doc.body.style.background = "...";
* bgcolor attributes appearing in the markup
* <font> elements appearing in the markup
* doc.body.appendChild(doc.createElement("font"));
* doc.body.bgcolor = "...";
* doc.body.innerHTML = "<style>...</style>";
How does WebKit handle these cases? Our guess is that whenever a user
agent applies css from a <style> tag or style attribute, it would be
unsafe-inline. That would mean, these cases would result in
unsafe-inline that is blocked:
* doc.body.appendChild(doc.createElement("style"));
* doc.body.innerHTML = "<style>...</style>";
* doc.body.setAttribute("style", "...");
Thanks!
~Tanvi
Received on Tuesday, 18 September 2012 21:57:40 UTC