- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 27 Jan 2011 11:05:19 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Thu, Jan 27, 2011 at 10:35 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 1/27/11 9:57 AM, Michal Zalewski wrote: >> plus, there are some types of content loads that are not covered by >> these categories (say, favicon). > > Borderline: favicons aren't "in" the page, but if you're worried > about exfiltration then it's a problem that they are linked to by > the page. If we agree they should be covered it should be lumped > with images and say it's a Firefox bug they aren't enforced. > > prefetching might have a similar exfiltration risk -- should the > presence of a CSP header disable it? I don't think we'll ever be able to stop exfiltration. IMHO, worrying about exfiltration is just a distraction. Adam
Received on Thursday, 27 January 2011 19:10:11 UTC