Skip to main content

Style sources are safe

ab-001328 · extension-permissions-security.content-security-policy.style-src-safe
Severity: mediumactive

Why it matters

CWE-693 and OWASP A05 apply: a permissive style-src directive (e.g., style-src * or style-src https:) allows any external stylesheet to be loaded into extension pages. While style injection is less immediately dangerous than script injection, CSS exfiltration attacks exist — attribute selectors can leak sensitive DOM content character by character. More practically, allowing external styles defeats the extension's origin isolation and can be used to fingerprint extension state via timing side-channels. Restricting style-src to 'self' forces style bundling, which also improves offline reliability and eliminates dependency on third-party CDNs.

Severity rationale

Medium because wildcard style sources enable CSS-based data exfiltration attacks and defeat origin isolation, though exploitation requires chaining with another injection opportunity.

Remediation

Restrict style-src to 'self' and bundle all stylesheets locally. If a UI framework requires 'unsafe-inline' for inline styles, that is tolerated but should be paired with a strict script-src.

"content_security_policy": {
  "extension_pages": "style-src 'self'; script-src 'self'; object-src 'none'"
}

Avoid loading fonts or CSS from external CDNs — host them under src/assets/ and reference via relative path.

Detection

  • ID: extension-permissions-security.content-security-policy.style-src-safe

  • Severity: medium

  • What to look for: Quote the style-src directive from the CSP. Count the number of remote source entries. Check for wildcards (*, https:, http:) in the style-src list.

  • Pass criteria: style-src does not use http: or https: wildcards and contains no more than 0 wildcard entries. 'unsafe-inline' is often necessary for UI frameworks, so it is tolerated but 'self' is preferred. Quote the actual style-src value.

  • Fail criteria: style-src allows arbitrary remote sources (* or https:).

  • Skip (N/A) when: Never — style injection can enable data exfiltration.

  • Detail on fail: "CSP style-src allows broad remote sources."

  • Remediation: Restrict styles to 'self' and specific domains in manifest.json CSP if loading external fonts/CSS is absolutely necessary (and cannot be bundled).

    "content_security_policy": { "extension_pages": "style-src 'self'; script-src 'self'; object-src 'none'" }

External references

Taxons

injection-and-input-trust

History