- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Tue, 18 Sep 2012 14:57:12 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <5058EE38.9020501@mozilla.com>
A question came up when implementing unsafe-inline for style-src. The spec says: /If //|'unsafe-inline'|//is //*not*//in /allowed style sources * /Whenever the user agent would apply style from a //|style|//element, instead the user agent //|/must/|//ignore the style./ * /Whenever the user agent would apply style from a //|style|//attribute, instead the user agent //|/must/|//ignore the style./ /Note: These restrictions on inline do not prevent the user agent from applying style from an external stylesheet (e.g., found via //|<link rel="stylesheet">|//). / If a style tag or style attributes are set in html, it is clearly a case of unsafe-inline. But if styles are set in javascript (inline javascript or src'ed javascript), are they considered unsafe-inline? Here are some examples we are unsure about: * doc.body.appendChild(doc.createElement("style")); * doc.body.setAttribute("style", "..."); * doc.body.style.background = "..."; * bgcolor attributes appearing in the markup * <font> elements appearing in the markup * doc.body.appendChild(doc.createElement("font")); * doc.body.bgcolor = "..."; * doc.body.innerHTML = "<style>...</style>"; How does WebKit handle these cases? Our guess is that whenever a user agent applies css from a <style> tag or style attribute, it would be unsafe-inline. That would mean, these cases would result in unsafe-inline that is blocked: * doc.body.appendChild(doc.createElement("style")); * doc.body.innerHTML = "<style>...</style>"; * doc.body.setAttribute("style", "..."); Thanks! ~Tanvi
Received on Tuesday, 18 September 2012 21:57:40 UTC