Re: CSP 1.0: Lax and strict CSS parsing rules

On Fri, Mar 1, 2013 at 10:15 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
>   <http://www.w3.org/TR/2012/CR-CSP-20121115/#security-considerations>:
>
>   The style-src directive restricts the locations from which the
>   protected resource can load styles. However, if the user agent uses a
>   lax CSS parsing algorithm, an attacker might be able to trick the user
> agent into accepting malicious "style sheets" hosted by an otherwise
>   trustworthy origin.
>
>   These attacks are similar to the CSS cross-origin data leakage attack
>   described by Chris Evans in 2009. User agents should defend against
>   both attacks using the same mechanism: stricter CSS parsing rules for
>   style sheets with improper MIME types.
>
> I do not understand this text, starting with why user agents would load
> non-text/css resources as style sheets into `style-src` restricted
> documents. It does not say what web sites can do to proect against this
> kind of attack, or how using "stricter parsing rules" is a defense for
> the user agent. More importantly, I do not understand how to comply with
> the "SHOULD" requirement here: what actually are these "stricter rules"?

The CSSWG didn't produce that document, so I can't offer any
clarification.  However, I can at least comment on a few of your
questions.

The Cascade spec defines how Content-Type is used in interpreting a
style sheet <http://dev.w3.org/csswg/css3-cascade/#import-content-type>.
 Summary is that in order to be loaded, a stylesheet must either have
a Content-Type of text/css, have no Content-Type at all, or be both
same-origin and in quirks mode.  (I guess technically this only
applies to imported style sheets, not ones linked in via other
document languages.  I think that's the technically correct choice.)

The proper parsing rules are just to follow the Syntax spec
<http://dev.w3.org/csswg/css3-syntax/> once it's completely finished.

~TJ

Received on Friday, 1 March 2013 19:24:03 UTC