W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Unofficial Draft of Content Security Policy

From: Brandon Sterne <bsterne@mozilla.com>
Date: Thu, 03 Mar 2011 14:46:25 -0800
Message-ID: <4D701A41.5060103@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 03/03/2011 02:37 PM, gaz Heyes wrote:
> Nice work
> 
> But.... I see that img-src is defined and font-src but every url() based
> CSS method is missing, then you've got HTML attributes like background.
> How do you control those? Are they same domain by default?

Good catch.  No, you are right, all image loads that happen via CSS are
also subject to img-src.  I'll make sure to include that in the next
revision.

Thanks,
Brandon
Received on Thursday, 3 March 2011 22:45:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 March 2011 22:46:01 GMT