- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 01 Mar 2013 19:15:56 +0100
- To: public-webappsec@w3.org
- Cc: www-style@w3.org
Hi, <http://www.w3.org/TR/2012/CR-CSP-20121115/#security-considerations>: The style-src directive restricts the locations from which the protected resource can load styles. However, if the user agent uses a lax CSS parsing algorithm, an attacker might be able to trick the user agent into accepting malicious "style sheets" hosted by an otherwise trustworthy origin. These attacks are similar to the CSS cross-origin data leakage attack described by Chris Evans in 2009. User agents should defend against both attacks using the same mechanism: stricter CSS parsing rules for style sheets with improper MIME types. I do not understand this text, starting with why user agents would load non-text/css resources as style sheets into `style-src` restricted documents. It does not say what web sites can do to proect against this kind of attack, or how using "stricter parsing rules" is a defense for the user agent. More importantly, I do not understand how to comply with the "SHOULD" requirement here: what actually are these "stricter rules"? regards, -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 1 March 2013 18:16:23 UTC