- From: Mike West <mkwst@google.com>
- Date: Wed, 19 Sep 2012 00:40:00 +0200
- To: Tanvi Vyas <tanvi@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Good questions! On Tue, Sep 18, 2012 at 11:57 PM, Tanvi Vyas <tanvi@mozilla.com> wrote: > * doc.body.appendChild(doc.createElement("style")); > * doc.body.setAttribute("style", "..."); > * doc.body.innerHTML = "<style>...</style>"; These are blocked in WebKit if 'unsafe-inline' isn't whitelisted. > * doc.body.style.background = "..."; > * doc.body.bgcolor = "..."; > * doc.body.appendChild(doc.createElement("font")); > * bgcolor attributes appearing in the markup > * <font> elements appearing in the markup These are not blocked in WebKit at the moment. The latter three possibly should be, as they actually touch the DOM, the first two probably shouldn't be. I don't have a good argument as to why they're different, other than the general feel that they're more JavaScript than style... It should be clarified in the spec, but I'm not sure there's really much practical impact either way. There's much less that an attacker can do with a font element than she can do with arbitrary style properties. -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 18 September 2012 22:40:50 UTC