On 4/7/09 4:25 AM, Gervase Markham wrote: > What's the story on inline <style> and style=""? At the moment the > definition of "style-src" says they are subject to it, but there's no > valid value for "in this document", and in the script case, all inline > script is disabled.
As you mentioned, the style-src section indicates "...as well as inline <style> elements and style attributes of HTML elements." We are basically treating CSS in the same manner as JavaScript. > Have we decided that there's a risk with all inline CSS style, or can we > define and enforce a large safe subset of the language? Making people > move their JS to external files is one thing, making them move all the > style as well is yet another. Since style is a vector for JavaScript, via XBL, it needs to be subject to the same restrictions. -Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security