- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 19 Sep 2012 18:21:00 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: public-webappsec@w3.org
On Wed, Sep 19, 2012 at 6:08 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 9/19/12 4:19 PM, Adam Barth wrote:
>> On Tue, Sep 18, 2012 at 5:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>>> On 9/18/12 6:40 PM, Mike West wrote:
>>>>>
>>>>> * doc.body.setAttribute("style", "...");
>>> ...
>>>>>
>>>>> * doc.body.style.background = "...";
>>>
>>> There is no functional different between those two. Especially not if
>>> you
>>> actually consider:
>>>
>>> doc.body.style.cssText = "....";
>>
>> There isn't a functional difference, but there is a semantic
>> difference. One is manipulating the DOM style attribute (which then
>> gets reflected in the styles themselves). The other is manipulating
>> the styles themselves (which then gets reflected into the DOM style
>> attribute).
>
> Yes, but in which case is this semantic difference something someone writing
> a CSP would care about, given that the resulting functionality is identical?
I should say that I don't really have a strong opinion here. If
there's another semantics that you prefer strongly, I'm certainly open
to that.
For authors, we should strive for the conceptually clearest semantics.
The concept I was going for was "don't use the style element or
attribute." Maybe it's clearer to include the CSSOM as well? There
isn't really a security benefit to blocking the CSSOM, so it seemed
simpler to allow it.
Adam
Received on Thursday, 20 September 2012 01:21:59 UTC