- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 24 Jun 2013 23:54:44 +0900
- To: Adam Barth <w3c@adambarth.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, Gordon Hemsley <me@gphemsley.org>, WebAppSec WG <public-webappsec@w3.org>
On Sun, Jun 23, 2013 at 2:03 PM, Adam Barth <w3c@adambarth.com> wrote: > On Thu, Jun 20, 2013 at 12:27 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> and XSLT. Adam? > > You might think that XSLT is controlled by style-src because it's > styling information, but we've actually put it into the script-src > bucket because it's just as powerful as script. You can see some > discussion of this topic if you search for XSLT in > https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html. However, with <?xml-stylesheet href="something"?> you cannot know in advance whether you're fetching CSS or XSLT. So you'd need to flush that out. (I realize that's not entirely interoperable today.) Are you changing the CSP fetching policy based on the type pseudo-attribute? >> I think we should treat that as a bug :-) > > I don't think there's anything in CSP that controls DTD fetches. Do > any user agents actually fetch DTDs? I think Opera had an option at some point. Gecko processes DTDs for some internal stuff. However, I'd consider that a web platform bug in a browser if that still exists and is exposed to the web. -- http://annevankesteren.nl/
Received on Monday, 24 June 2013 14:55:13 UTC