On Mar 29, 11:46 am, Sid Stamm <s...@mozilla.com> wrote: > On 3/28/09 7:10 PM, FunkyRes wrote:> I've been working on a php class that > implements CSP as an output > > 1) if style-src does not contain the host the page is being served > > from, do in-line style need to be blocked? > > I think that would be the right thing to do. We would also probably > want to block use of the style attribute in HTML tags.
I agree with this. We need to make it more clear in the spec, but I have considered inline style as well as style attributes as being subject to the same style-src policy as any CSS being loaded from external stylesheets. > > 3) Does CSP really block all event attributes? > We're working on a more detailed description that will address details > like this. We have to allow event handlers in one way or another or > like half the web will implode. It is my thought that we should allow > event handlers in the HTML served on the main page, but they aren't > extracted from data contexts after that; basically, once the load event > fires, event handlers are frozen (except in JavaScript) and attribute > manipulation won't register new ones. Look for an update on the details > page you referenced soon. Actually, all event-handling HTML attributes will be blocked, as they are a common vector for XSS, e.g. <body onload="evil()">. However, sites will still be able to do event handling in the following ways: 1) setting the on<event> properties of an element, e.g. foo.onclick = myFunc; 2) using addEventListener, e.g. foo.addEventListener("click", myFunc, false); Of course, both methods would have to be used from within white-listed script files. > As I mentioned, we're working on a very detailed list of the basic > restrictions imposed on any CSP-implementing site (regardless of the > policy), and will be updating the wiki as well with more details as > discussion progresses. Thanks for the feedback! > > -Sid That's right. We will have an updated set of documentation published very shortly (this week) and we'll post to the list as soon as it's up. Cheers, Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security