W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

RE: unsafe-inline for style-src

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 20 Sep 2012 18:34:24 +0000
To: Adam Barth <w3c@adambarth.com>, Boris Zbarsky <bzbarsky@mit.edu>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E26A237@DEN-EXDDA-S12.corp.ebay.com>
> 2) Phishing.  If an attacker can inject elements into a page with arbitrary style,
> the attacker can completely change the appearance of the page and, for
> example, make the page show a login screen.  This attack is more powerful
> than a traditional phishing attack because the browser's location bar will still
> show the URL of the real web site (including any EV indicators or whatnot).
> To mitigate this risk, we need to block both <style> and @style.

[Hill, Brad] Is this really an in-scope goal?  

It seems to me that phishing would actually be more effective if it re-used the existing styles available with the genuine content than if it tried to create new styles.

I thought inline styles wore forbidden because they could be script-equivalents in some cases.
Received on Thursday, 20 September 2012 18:34:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:29 UTC