- From: Jonathan Kingston <jonathan@jooped.com>
- Date: Tue, 02 Jun 2015 18:57:07 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKrjaaVgtyX10kY8-tZcNzw41OMc_9T8MD4RXLt=UY1_K8E5Aw@mail.gmail.com>
Is there any intent on blocking JavaScript API access to the DOM when unsafe-inline is not used in CSP rules? So for example the following is currently blocked: element.setAttribute('style', 'border: 1px solid #000;'); However the following is not blocked: element.style.border = '1px solid #000'; After speaking with Mike West about this it is unclear why the differential between the two APIs. Before changing over the code of many projects to enforce the the usage of style properties rather than style attributes I thought it was worth confirming. My understanding of this rule is mostly to rule out the following usages: '<style>' and ' style="" ' which leads me to ask are browsers being overzealous in blocking element.setAttribute('style'...? I'm fairly certain it should be blocked as constructing styles from strings is the danger however I feel the specification doesn't cover clearly what should be blocked. So for the vast part of this usage, the code can be cleaned up into stylesheet rules. However the use case is for dynamic built properties which are based upon library usage of DOM within JavaScript. If this were to be excluded in future, I personally would advise a separate CSP directive. It already seems to be common place advice just to enable style-src unsafe-inline. I see this has been raised twice before, however I'm not sure the response really answers my question: https://lists.w3.org/Archives/Public/public-webappsec/2012Mar/0046.html https://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0097.html Kind regards Jonathan
Received on Tuesday, 2 June 2015 18:57:47 UTC