On 4/7/09 9:08 AM, Brandon Sterne wrote: >> Have we decided that there's a risk with all inline CSS style, or can we >> define and enforce a large safe subset of the language? Making people >> move their JS to external files is one thing, making them move all the >> style as well is yet another. > > Since style is a vector for JavaScript, via XBL, it needs to be subject > to the same restrictions.
Actually, my reasoning is wrong here. Style is no longer a vector for script under CSP because we added the restriction that "XBL bindings must come from chrome: or resource: URIs" for precisely this reason. The other reason to make inline CSS subject to the style-src directive (which I didn't state before because it didn't seem as strong a point) is increased consistency in the model. It seems inconsistent to offer controls on where style can come from if the restriction can be bypassed by injecting CSS directly into the document. Granted, injected CSS poses a much, much lower risk than injected script, but there is still the issue of page defacement, etc. I don't think the no-inline-style requirement is too punitive, though, as sites can still use normal CSS selectors and apply their styles from external, white-listed stylesheets. Sorry for the confusion. -Brandon _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
