- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Fri, 1 Mar 2013 11:23:16 -0800
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: public-webappsec@w3.org, www-style list <www-style@w3.org>
On Fri, Mar 1, 2013 at 10:15 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > <http://www.w3.org/TR/2012/CR-CSP-20121115/#security-considerations>: > > The style-src directive restricts the locations from which the > protected resource can load styles. However, if the user agent uses a > lax CSS parsing algorithm, an attacker might be able to trick the user > agent into accepting malicious "style sheets" hosted by an otherwise > trustworthy origin. > > These attacks are similar to the CSS cross-origin data leakage attack > described by Chris Evans in 2009. User agents should defend against > both attacks using the same mechanism: stricter CSS parsing rules for > style sheets with improper MIME types. > > I do not understand this text, starting with why user agents would load > non-text/css resources as style sheets into `style-src` restricted > documents. It does not say what web sites can do to proect against this > kind of attack, or how using "stricter parsing rules" is a defense for > the user agent. More importantly, I do not understand how to comply with > the "SHOULD" requirement here: what actually are these "stricter rules"? The CSSWG didn't produce that document, so I can't offer any clarification. However, I can at least comment on a few of your questions. The Cascade spec defines how Content-Type is used in interpreting a style sheet <http://dev.w3.org/csswg/css3-cascade/#import-content-type>. Summary is that in order to be loaded, a stylesheet must either have a Content-Type of text/css, have no Content-Type at all, or be both same-origin and in quirks mode. (I guess technically this only applies to imported style sheets, not ones linked in via other document languages. I think that's the technically correct choice.) The proper parsing rules are just to follow the Syntax spec <http://dev.w3.org/csswg/css3-syntax/> once it's completely finished. ~TJ
Received on Friday, 1 March 2013 19:24:04 UTC