CSP 1.1: 'unsafe-eval' blocks certain CSSOM operations.

In [1] and [2], Mozilla proposed treating certain bits of the CSSOM in the same way we treat JavaScript operations like 'eval'. Specifically, those bits of the CSSOM like the 'cssText' setters and 'insertRule' methods directly interpret strings as CSS rules and declarations, and can and will be used to attack protected resources. This patch implements the suggestion in comment #0 of [2]. Comment #1 on the same bug goes further, asking for a more blanket restriction on setters of all kinds, including direct property setters. If the WG determines that that's the right balance to strike, a future patch can tighten the restrictions. [1]: http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0097.html [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=873302
w3c · Dec 28, 2013 · 34103c6 · 34103c6
1 parent 384aa92
commit 34103c6
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/csp-specification.dev.html b/csp-specification.dev.html
@@ -2146,7 +2146,7 @@ <h4><code>style-src</code></h4>
         <a href="#dfn-default-sources">default sources</a>.</p>
 
         <p>If <code>'unsafe-inline'</code> is <strong>not</strong> in the
-        list of <a href="#dfn-allowed-style-sources">allowed style sources</a>, 
+        list of <a href="#dfn-allowed-style-sources">allowed style sources</a>,
         or if at least one <code>nonce-source</code> or <code>hash-source</code>
         is present in the list of <a href="#dfn-allowed-style-sources">allowed style sources</a>:</p>
         <ul>
@@ -2165,12 +2165,24 @@ <h4><code>style-src</code></h4>
           <em>and</em> MUST <a href="#dfn-report-a-violation">report a
           violation</a>.</li>
         </ul>
-
         <p>Note: These restrictions on inline do not prevent the user agent
         from applying style from an external stylesheet (e.g., found via
-        <code>&lt;link rel="stylesheet"&gt;</code>). The user agent is also
-        not prevented from applying style from Cascading Style Sheets Object
-        Model (CSSOM). [[!CSSOM]]</p>
+        <code>&lt;link rel="stylesheet"&gt;</code>).</p>
+
+        <p>If <code>'unsafe-eval'</code> is <strong>not</strong> in
+        <a href="#dfn-allowed-style-sources">allowed style sources</a>, then:</p>
+
+        <ul>
+          <li>Whenever the user agent would invoke the Cascading Style Sheets
+          Object Model algorithms
+          <a href="http://dev.w3.org/csswg/cssom/#insert-a-css-rule"><code>insert a CSS rule</code></a>,
+          <a href="http://dev.w3.org/csswg/cssom/#parse-a-css-rule"><code>parse a CSS rule</code></a>,
+          or <a href="http://dev.w3.org/csswg/cssom/#parse-a-css-declaration-block"><code>parse a CSS declaration block</code></a>,
+          instead the user agent MUST throw a <code>SecurityError</code>
+          exception <em>and</em> terminate the algorithm. This would include,
+          for example, all invocations of CSSOM's various <code>cssText</code>
+          setters and <code>insertRule</code> methods. [[!CSSOM]] [[!DOM4]]</li>
+        </ul>
 
         <p>Whenever the user agent <a
         href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>