W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

CSP unsafe-inline DOM access

From: Jonathan Kingston <jonathan@jooped.com>
Date: Tue, 02 Jun 2015 18:57:07 +0000
Message-ID: <CAKrjaaVgtyX10kY8-tZcNzw41OMc_9T8MD4RXLt=UY1_K8E5Aw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Is there any intent on blocking JavaScript API access to the DOM when
unsafe-inline is not used in CSP rules?

So for example the following is currently blocked:

    element.setAttribute('style', 'border: 1px solid #000;');

However the following is not blocked:

    element.style.border = '1px solid #000';

After speaking with Mike West about this it is unclear why the differential
between the two APIs. Before changing over the code of many projects to
enforce the the usage of style properties rather than style attributes I
thought it was worth confirming.

My understanding of this rule is mostly to rule out the following usages:
'<style>' and ' style="" ' which leads me to ask are browsers being
overzealous in blocking element.setAttribute('style'...? I'm fairly certain
it should be blocked as constructing styles from strings is the danger
however I feel the specification doesn't cover clearly what should be
blocked.

So for the vast part of this usage, the code can be cleaned up into
stylesheet rules. However the use case is for dynamic built properties
which are based upon library usage of DOM within JavaScript.
If this were to be excluded in future, I personally would advise a separate
CSP directive. It already seems to be common place advice just to enable
style-src unsafe-inline.

I see this has been raised twice before, however I'm not sure the response
really answers my question:
https://lists.w3.org/Archives/Public/public-webappsec/2012Mar/0046.html
https://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0097.html

Kind regards
Jonathan
Received on Tuesday, 2 June 2015 18:57:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC