1

I would like to block the execution of any instance of CSS's url() function in CSS provided by my server. One promising method would be a CSP, but I'm not sure if this is possible using a CSP. Is it? And if not, what is the best way to accomplish this?

The reason is, there are some instances where users can modify CSS for other users, and I don't want them to be able to cause IP address leaks of users via the url() function.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
Alex V
  • 190
  • 6
  • 1
    It'snot clear for me what you are asking: would you like to prevent that some other site uses `url()` in their CSS to access your site or do you want to prevent the call of `url()` in a (user provided?) CSS on your own site? It might also be useful to describe why you want to do this in the first place, i.e. what risk you are trying to mitigate? – Steffen Ullrich Apr 26 '20 at 06:13
  • I am trying to prevent anyone on my server from using the `url()` function to access other sites. The reason is, there are some instances where users can modify CSS for other users, and I don't want them to be able to cause IP address leaks of users via the `url()` function. – Alex V Apr 26 '20 at 06:19
  • Could you please update your question with this information so that users don't have to dig through the comment in order to find out what the question is really about? – Steffen Ullrich Apr 26 '20 at 06:22
  • Sure, no problem :) – Alex V Apr 26 '20 at 06:33
  • You can set `img-src`, `font-src` and `style-src` directives to block an untrusted styelsheet from making requests. – Arminius Apr 26 '20 at 10:20
  • @Arminius But wouldn't style-src prevent users from using inline styles entirely? And if I allow unsafe-inline, I won't be able to block import and url() calls to external addresses – Alex V Apr 26 '20 at 18:51
  • `style-src 'unsafe-inline'` simply allows `style` attribute to work. The `url()` embedded within the `style` attribute still goes through the `img-src`, `font-src` and `style-src` checks if the browser works correctly. – Mikko Rantalainen Jun 15 '21 at 08:18

1 Answers1

1

Content Security Policy provides only a way to restrict the target of a request based on the context of the target but not on the actual source of the target. Thus it is not possible to restrict access specifically for url() called from a CSS but it is possible to restrict access for images.

Since your objective is to make sure that no IP leaks occur I think restricting only url() from CSS might be the wrong approach from start. While url() from CSS might be the only way available for users it is not the only way other sites can be accessed from within your code in general. For But for leaking IP it does not actually matter what the source of the request was, i.e. user provided URL's or your own code. So it might be better to simply have a list of white-listed sites where embedding is allowed and deny access to all others and apply this list globally to your site.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • If you want to prevent leaking IP addresses you basically want CSP `default-src 'self'`. If you *in addition* say `style-src 'unsafe-inline' 'self'` you enable inline `style` attribute but it cannot connect to remote sites either. – Mikko Rantalainen Jun 15 '21 at 08:20