W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 27 Jan 2011 11:05:19 -0800
Message-ID: <AANLkTimZtDoF9hKNeVKfz6F8zdLAxCsNHZYKzYMnRZNp@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Thu, Jan 27, 2011 at 10:35 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 1/27/11 9:57 AM, Michal Zalewski wrote:
>> plus, there are some types of content loads that are not covered by
>> these categories (say, favicon).
>
> Borderline: favicons aren't "in" the page, but if you're worried
> about exfiltration then it's a problem that they are linked to by
> the page. If we agree they should be covered it should be lumped
> with images and say it's a Firefox bug they aren't enforced.
>
> prefetching might have a similar exfiltration risk -- should the
> presence of a CSP header disable it?

I don't think we'll ever be able to stop exfiltration.  IMHO, worrying
about exfiltration is just a distraction.

Adam
Received on Thursday, 27 January 2011 19:10:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 27 January 2011 19:10:12 GMT