On 07/30/2009 07:06 AM, Gervase Markham wrote: > On 29/07/09 23:23, Ian Hickson wrote: >> * Combine style-src and font-src > > That makes sense.
I agree. @font-face has to come from CSS which is already subject to style-src restrictions. I don't think there are any practical attacks we are preventing by allowing a site to say "style can come from <foo> but not fonts". I propose we combine the two directives and will do so if there aren't objections. Separately, there is another style-src related problem with the current model [1]: style-src restricts which sources are valid for externally linked stylesheets, but all inline style is still allowed. The current model offers no real protection against style injected by an attacker. If anything, it provides a way for sites to prevent outbound requests (CSRF) via injected <link rel="stylesheet"> tags. But if this is the only protection we are providing, we could easily have stylesheets be restricted to the "allow" list. I think we face a decision: A) we continue to allow inline styles and make external stylesheet loads be subject to the "allow" policy, or B) we disallow inline style and create an opt-in mechanism similar to the inline-script option [2] IOW, we need to decide if webpage defacement via injected style is in the treat model for CSP and, if so, then we need to do B. Thoughts? -Brandon [1] https://wiki.mozilla.org/Security/CSP/Spec#style-src [2] https://wiki.mozilla.org/Security/CSP/Spec#options _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security