On 10/22/09 3:58 PM, Lucas Adamski wrote:
CSS is content importing.. oh but IE allows CSS "expressions" so its a XSS vector too.
IE8 has killed expressions off, our CSP spec says -moz-binding has to come from chrome: or resource: (that is, be built in). https://wiki.mozilla.org/Security/CSP/Spec#XBL_bindings_must_come_from_chrome:_or_resource:_URIs
That's a pretty vendor-specific thing to put in CSP, I think we just want to kill or restrict -moz-binding in the product in general (as IE has done) and not worry about it in CSP. Either way, though, we can treat CSS only from the data-loading aspects. The implication of that is that we don't need to worry about "inline-style" which has been raised recently.
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
