[CSP] Regarding style-src unsafe-eval and CSSOM


my colleagues David Baron and Jonas Sicking at Mozilla spurred a short
discussion of the CSSOM threat model in CSP2:
They found it particularly unclear what the threat model is and what
'unsafe eval' is supposed to protect against.
Considering that 'eval' has no meaning in CSS, it would help to add a
note that explains it a bit further, e.g.:

>'unsafe-eval' protects against CSS modifications from script by
> modifying style though '.style', '.cssText', 'insertRule()' and
> '.selectorText'.

Jonas also highlighted that existing CSS rules could be re-used as
gadgets to restyle the document. This can be done by changing selectors
through the 'selectorText' attribute (as included in the note above).

We can fix this by adding the "parse a group of selectors" algorithm[1]
to the existing text in CSP2 7.18:
"Whenever the user agent would invoke the Cascading Style Sheets Object
Model algorithms insert a CSS rule, parse a CSS rule, or parse a CSS
declaration block, instead the user agent MUST throw a SecurityError
exception and terminate the algorithm."

Considering that adding the algorithm is more an oversight than a new
spec feature, I assume this can be squeezed in despite the end of Last Call?


[1] The algorithm is defined in
<http://dev.w3.org/csswg/cssom/#parse-a-group-of-selectors> and only
used here <http://dev.w3.org/csswg/cssom/#the-cssstylerule-interface>.

Received on Thursday, 28 August 2014 09:23:55 UTC