- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Thu, 03 Mar 2011 14:46:25 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 03/03/2011 02:37 PM, gaz Heyes wrote: > Nice work > > But.... I see that img-src is defined and font-src but every url() based > CSS method is missing, then you've got HTML attributes like background. > How do you control those? Are they same domain by default? Good catch. No, you are right, all image loads that happen via CSS are also subject to img-src. I'll make sure to include that in the next revision. Thanks, Brandon
Received on Thursday, 3 March 2011 22:45:59 UTC