CSP and removing inline styles
Michael Gundlach
[1] It looks like including jQuery (1.7.1) in an extension page such as the Options page isn't compatible with CSP. I generates 5 "Refused to apply inline style" errors. I've filed a bug with jQuery, but is this perhaps a Chrome problem? At it stands, I'm unable to proceed with CSP unless I give up jQuery.
Adam Barth
On Wed, Jan 18, 2012 at 9:28 AM, Michael Gundlach
<adblockf...@gmail.com> wrote:
> I am working to convert AdBlock to conform to CSP. While I'm finding that
> moving inline scripts into their own .js files is no problem, handling all
> the instances of inline styles is tedious, and perhaps not possible if I
> want to use jQuery[1].
Removing inline script is much more valuable than removing inline
style. One thing you can do is add the 'unsafe-inline' keyword to the
style-src directive, which will let you use inline style in your
extension. You'll be giving up a little bit of protection, but you'll
still get the vast majority of the security benefits of CSP.
> As I understand it, the only reason inline styles are disallowed is because
> someone could apply a 'binding' CSS property which indirectly could run
> JavaScript. It would be a blessing if we could specify in our CSP statement
> that we disallow 'binding', and thus all inline-styles are safe again.
Chrome doesn't support "binding" at all, so you're already protected
on that front. Blocking inline styles helps protect you against some
advanced attack techniques involving CSS selectors stealing
information from form elements. We have this feature in CSP for folks
who want to tighten up their security as much as possible, but
blocking inline scripts is a much bigger security win.
> Any chance of something like this happening? I know the arguments for
> strict separation of style and content, but it makes the code harder to
> understand in some cases. Forcing us to apply it 100% instead of
> disallowing the problematic subset of CSS feels a little overkill.
If you have any more questions about CSP, please don't hesitate to ask.
Thanks,
Adam
> [1] It looks like including jQuery (1.7.1) in an extension page such as the
> Options page isn't compatible with CSP. I generates 5 "Refused to apply
> inline style" errors. I've filed a bug with jQuery, but is this perhaps a
> Chrome problem? At it stands, I'm unable to proceed with CSP unless I give
> up jQuery.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Chromium-extensions" group.
> To post to this group, send email to chromium-...@chromium.org.
> To unsubscribe from this group, send email to
> chromium-extens...@chromium.org.
> For more options, visit this group at
> http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.
Michael Gundlach
Removing inline script is much more valuable than removing inline
style. One thing you can do is add the 'unsafe-inline' keyword to the
style-src directive, which will let you use inline style in your
extension. You'll be giving up a little bit of protection, but you'll
still get the vast majority of the security benefits of CSP.