RE: unsafe-inline for style-src

> 2) Phishing.  If an attacker can inject elements into a page with arbitrary style,
> the attacker can completely change the appearance of the page and, for
> example, make the page show a login screen.  This attack is more powerful
> than a traditional phishing attack because the browser's location bar will still
> show the URL of the real web site (including any EV indicators or whatnot).
> To mitigate this risk, we need to block both <style> and @style.

[Hill, Brad] Is this really an in-scope goal?  

It seems to me that phishing would actually be more effective if it re-used the existing styles available with the genuine content than if it tried to create new styles.

I thought inline styles wore forbidden because they could be script-equivalents in some cases.

Received on Thursday, 20 September 2012 18:34:53 UTC