- From: Frederik Braun <fbraun@mozilla.com>
- Date: Thu, 28 Aug 2014 11:23:29 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: Jonas Sicking <sicking@mozilla.com>, "L. David Baron" <dbaron@dbaron.org>
Hi, my colleagues David Baron and Jonas Sicking at Mozilla spurred a short discussion of the CSSOM threat model in CSP2: They found it particularly unclear what the threat model is and what 'unsafe eval' is supposed to protect against. Considering that 'eval' has no meaning in CSS, it would help to add a note that explains it a bit further, e.g.: >'unsafe-eval' protects against CSS modifications from script by > modifying style though '.style', '.cssText', 'insertRule()' and > '.selectorText'. Jonas also highlighted that existing CSS rules could be re-used as gadgets to restyle the document. This can be done by changing selectors through the 'selectorText' attribute (as included in the note above). We can fix this by adding the "parse a group of selectors" algorithm[1] to the existing text in CSP2 7.18: "Whenever the user agent would invoke the Cascading Style Sheets Object Model algorithms insert a CSS rule, parse a CSS rule, or parse a CSS declaration block, instead the user agent MUST throw a SecurityError exception and terminate the algorithm." Considering that adding the algorithm is more an oversight than a new spec feature, I assume this can be squeezed in despite the end of Last Call? Thanks! Freddy [1] The algorithm is defined in <http://dev.w3.org/csswg/cssom/#parse-a-group-of-selectors> and only used here <http://dev.w3.org/csswg/cssom/#the-cssstylerule-interface>.
Received on Thursday, 28 August 2014 09:23:55 UTC