1

To comply with CSP specs, I am analyzing an older application for the use of inline style in the HTML.

What I don't understand is why inline styles are insecure, or rather what am I gaining in a security sense when I replace style="color:red" with class="red".

I see a lot of sites where I can find out how great it is that CSP solves the insecure inline style, or how to apply the syntax of CSP for inline style, but I can't seem to find what the vulnerability is with inline style vs. classes.

All the things in CSP style-src: 'unsafe-inline' - is it worth it? also apply for classes. It also states what can happen when you use inline styles and you get hit by an XSS. On of the comments in the answers is "Couldn't they just as easily mess up your page by modifying classes? I'm still not seeing the benefit." - that is still my question, and not answered.

For example, this answer says:

They could turn your page pink, and make it look silly.

When they have (via XSS for instance) have access to my page, they can also inject some style and add a class, or add any of the bootstrap color classes to my HTML, so the also my page looks silly.

They could modify the text of your page...

Has nothing to do with the inline style, that is about XSS in general

They could make user generated content, like a link they provided appear outside of the normal places where people expect to see user content, making it appear official.

Again has nothing to do with the inline style, that is about XSS in general

Using a carefully crafted style rules they could send any information included on the page to external domains...

Again has nothing to do with the inline style, that is about XSS in general.

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
Michel
  • 23,085
  • 46
  • 152
  • 242
  • 3
    *We don't have to start a discussion ...* --> we don't do discussion at all here – Temani Afif Oct 13 '20 at 14:35
  • About the proposed answers: this question is so NOT about "What is the difference between style sheets and inline styles" – Michel Oct 13 '20 at 14:38
  • 1
    Specifically on CSP: https://stackoverflow.com/q/30653698/3001761 – jonrsharpe Oct 13 '20 at 14:40
  • 2
    I don't know what you've read, I only see what you've put in your question. But logically if the styles get changed the appearance changes far more arbitrarily than if the classes get changed (which is just toggling your styles on and off). – jonrsharpe Oct 13 '20 at 14:44
  • "security has nothing to do with it" vs "Content Security Policy " – Michel Oct 13 '20 at 14:55
  • @Ivar I did, but unfortunately some of my comments are deleted after I type them. In none of the links, Which I all read, do I read why inline styles are more insecure than classes. I just don't see it. – Michel Oct 13 '20 at 14:57
  • @Michel I edited my comment to be more specific. That kind of information belongs to the question, not in the comments. – Ivar Oct 13 '20 at 14:58
  • @ivar all the things in the post of jonrsharpe also apply for classes. It also states WHAT can happen when you use inline styles and you get hit by an XSS. On of the comments in the answers is "Couldn't they just as easily mess up your page by modifying classes? I'm still not seeing the benefit.". That is still my question, and not answered. – Michel Oct 13 '20 at 15:04
  • 1
    @Ivar I edited the question to explain why that question didn't answer my question. – Michel Oct 13 '20 at 15:16
  • 1
    I have to agree, the linked questions don't really explain **why** inline-styles are a problem (from a security perspective) they just give example of how someone who has access to the page could abuse inline styles (Which, surely they could do anyway, since inline overwrites nearly all CSS selectors) – DBS Oct 13 '20 at 15:16
  • 2
    In short: no. I've only edited twice, and frankly you're being very aggressive. To expand on why I applied the most recent edits: 1. a link to the actual question is far more use than a reference to a comment that may get cleaned up; 2. it's helpful to mark as quotes what's quoted, so what's your response is clearer; and 3. in general trotting out the whole history and your meta commentary isn't useful to the next person who wonders the same thing. If they want to see the question's history, it's in https://stackoverflow.com/posts/64337268/revisions. Your question's been reopened, relax. – jonrsharpe Oct 13 '20 at 16:01
  • I can understand that you might feel me being agressive. How would you feel: I've googled for an hour, read 20+ pages, and then a person (not you) just closes my question without any additional comment, providing 4 of those 20 pages which didn't answer my question. No means of communication, and so darn fast he/she couldn't have read all those 4 posts bu (imho) just adding them by title. That doesn't make me feel good no. – Michel Oct 13 '20 at 16:05
  • 1
    An hour's not *that* long, really, and crucially you didn't actually *show the research* in the question. As I said above, *"I only see what you've put in your question"* - if you've read other resources, providing links and summarising what you have and haven't learned from them (as you've now done for that one post) helps others understand what you've already seen so we *don't* end up telling you the same thing again. And you're relying on strangers for free help, so getting shouty isn't likely to improve the response. – jonrsharpe Oct 13 '20 at 16:07

1 Answers1

3

why is it more unsafe than using classes

For example: if your website allows user-submitted links, there’s a combination of styles that will put the link directly over your login button – a serious phishing risk. Having a vulnerability allowing arbitrary classes to be set isn’t good, but there probably won’t be a combination allowing for quite so much freedom.

Some potential attacker resources are also only available in CSS property values, like url() (allowing tracking if your CSP isn’t restrictive about image-src).

Ry-
  • 218,210
  • 55
  • 464
  • 476