On 07/30/2009 07:06 AM, Gervase Markham wrote:
On 29/07/09 23:23, Ian Hickson wrote:
* Combine style-src and font-src
That makes sense.
I agree. @font-face has to come from CSS which is already subject to
style-src restrictions. I don't think there are any practical attacks
we are preventing by allowing a site to say style can come from foo
but not fonts. I propose we combine the two directives and will do so
if there aren't objections.
Separately, there is another style-src related problem with the current
model [1]:
style-src restricts which sources are valid for externally linked
stylesheets, but all inline style is still allowed. The current model
offers no real protection against style injected by an attacker. If
anything, it provides a way for sites to prevent outbound requests
(CSRF) via injected link rel=stylesheet tags. But if this is the
only protection we are providing, we could easily have stylesheets be
restricted to the allow list.
I think we face a decision:
A) we continue to allow inline styles and make external stylesheet loads
be subject to the allow policy, or
B) we disallow inline style and create an opt-in mechanism similar to
the inline-script option [2]
IOW, we need to decide if webpage defacement via injected style is in
the treat model for CSP and, if so, then we need to do B.
Thoughts?
-Brandon
[1] https://wiki.mozilla.org/Security/CSP/Spec#style-src
[2] https://wiki.mozilla.org/Security/CSP/Spec#options
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
