Thanks for the great feedback, Eric. I have some additional comments that I haven't finished yet, but this was a quick one...
Gervase Markham wrote: > On 06/07/09 01:28, EricLaw wrote: >> Style-src >> I don’t know what “style attributes of HTML elements” means. > > It means <div style="some CSS here"></div> Perhaps the style-src tag does not need to apply to inline style after all. Originally, we had thought we needed this restriction to prevent CSS from being used as a vector for script injection via XBL and CSS expressions. However, there is the other restriction already in place which requires that XBL bindings come from chrome: or resource: URIs, so the XSS risk is extremely low. The only other risk of allowing inline CSS is page defacement, element hiding, etc. I think we should change the script-src directive to only apply to external stylesheet loads and let inline styles (<style> elements and style attributes) behave as they currently do. -Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security