On 15/10/09 22:20, Brandon Sterne wrote:
I think we face a decision: A) we continue to allow inline styles and make external stylesheet loads be subject to the "allow" policy, or B) we disallow inline style and create an opt-in mechanism similar to the inline-script option [2]
C) We do A, but disallow entirely some dangerous stylesheet constructs.
IOW, we need to decide if webpage defacement via injected style is in the treat model for CSP and, if so, then we need to do B.
Is it just about defacement, or is it also about the fact that CSS can bring in behaviours etc?
If it's about defacement, then there's no set of "non-dangerous stylesheet constructs", and you can ignore my C. I think that, without executing JS code support, the successful attacks you could mount using CSS are limited. I guess you might put a notice on the bank website: "Urgent! Call this number and give them all your personal info!"...
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
