Added security consideraton about CSS parsing.
authorAdam Barth <w3c@adambarth.com>
Thu, 02 Feb 2012 14:36:49 -0800
changeset 8352277a98cf90
parent 82 1c307c022bcf
child 84 6aaeb7aac353
Added security consideraton about CSS parsing.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Thu Feb 02 13:33:42 2012 -0800
     1.2 +++ b/csp-specification.dev.html	Thu Feb 02 14:36:49 2012 -0800
     1.3 @@ -1260,6 +1260,25 @@
     1.4        </section>
     1.5      </section>
     1.6      <section>
     1.7 +      <h2>Security Considerations</h2>
     1.8 +      <section class="informative">
     1.9 +        <h3>Cascading Style Sheet (CSS) Parsing</h3>
    1.10 +
    1.11 +        <p>The <code>style-src</code> directive restricts the locations from
    1.12 +        which a document can load styles. However, if the user agent uses a
    1.13 +        lax CSS parsing algorithm, an attacker might be able to trick the user
    1.14 +        agent into accepting malicious "stylesheets" hosted by an otherwise
    1.15 +        trustworthy origin.</p>
    1.16 +
    1.17 +        <p>These attacks are similar to the <a
    1.18 +        href="http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">CSS
    1.19 +        cross-origin data leakage</a> attack described by Chris Evans in 2009.
    1.20 +        User agents SHOULD defend against both attacks using the same
    1.21 +        mechanism: stricter CSS parsing rules for stylesheets with improper
    1.22 +        MIME types.</p>
    1.23 +      </section>
    1.24 +    </section>
    1.25 +    <section>
    1.26        <h2>Implementation Considerations</h2>
    1.27        <section class="informative">
    1.28          <h3>Servers</h3>