On Mar 29, 11:46 am, Sid Stamm <s...@mozilla.com> wrote:
> On 3/28/09 7:10 PM, FunkyRes wrote:> I've been working on a php class that
> implements CSP as an output
> > 1) if style-src does not contain the host the page is being served
> > from, do in-line style need to be blocked?
>
> I think that would be the right thing to do. We would also probably
> want to block use of the style attribute in HTML tags.
I agree with this. We need to make it more clear in the spec, but I
have considered inline style as well as style attributes as being
subject to the same style-src policy as any CSS being loaded from
external stylesheets.
> > 3) Does CSP really block all event attributes?
> We're working on a more detailed description that will address details
> like this. We have to allow event handlers in one way or another or
> like half the web will implode. It is my thought that we should allow
> event handlers in the HTML served on the main page, but they aren't
> extracted from data contexts after that; basically, once the load event
> fires, event handlers are frozen (except in JavaScript) and attribute
> manipulation won't register new ones. Look for an update on the details
> page you referenced soon.
Actually, all event-handling HTML attributes will be blocked, as they
are a common vector for XSS, e.g. <body onload="evil()">. However,
sites will still be able to do event handling in the following ways:
1) setting the on<event> properties of an element, e.g. foo.onclick =
myFunc;
2) using addEventListener, e.g. foo.addEventListener("click", myFunc,
false);
Of course, both methods would have to be used from within white-listed
script files.
> As I mentioned, we're working on a very detailed list of the basic
> restrictions imposed on any CSP-implementing site (regardless of the
> policy), and will be updating the wiki as well with more details as
> discussion progresses. Thanks for the feedback!
>
> -Sid
That's right. We will have an updated set of documentation published
very shortly (this week) and we'll post to the list as soon as it's
up.
Cheers,
Brandon
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
