What are the dangers of "style-src: 'unsafe-inline'"?

Asked Oct 18 '18 at 10:53

Active Oct 18 '18 at 10:53

Viewed 758 times

This is a common sight in content security policies:

style-src 'unsafe-inline'

I know that this "UI redressing attacks" that can be use for phishing or just defamation. But are there other threats as well? In particular, I am interested in:

Script execution
Data exfiltration

Can a liberal CSP for styles lead to any of those? If so, how?

asked Oct 18 '18 at 10:53

Anders

64,406
24
178
215

(Strongly) related: [Cross site styling vulnerability?](https://security.stackexchange.com/questions/154629/cross-site-styling-vulnerability). You might want to point to that question in your question, and limit this question specifically to CSP issues (eg bypass of other CSP directives via this one), but exclude CSS injection in general. – tim Oct 18 '18 at 11:34
One of the comments in Dropbox sees this as a form of separating code on the website via referencing to whitelisted source instead. "This enforces code-data separation: all code running in the page has to come from script files in a whitelist of sources". – NASAhorse Oct 18 '18 at 12:23

What are the dangers of "style-src: 'unsafe-inline'"?

0 Answers0