Cross Site Scripting vulnerabilties via CSS

I have recently been reading up on Content Security Policy headers and came across this comment about stylesheets:

Note: Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. However, if you absolutely have to use it, there are a few mechanisms that will allow them.

The bit about inline scripts seemed pretty obvious, but I was curious about why inline styles would be considered a bad thing. Eventually I came across this video which provided some good info:

(YewTube link)

It seems the main things to be concerned about is data exfiltration.

1 Like