W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: Rate SVG resources to CSP directive

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 10 Feb 2012 00:44:37 -0800
Message-ID: <4F34D8F5.7070906@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org, Renata Hodovan <hodovan@inf.u-szeged.hu>
I agree that it looks like this feature /should/ be governed by the
img-src directive. In Firefox it looks like svg <use> gets a generic
TYPE_OTHER on the load and therefore is only controlled by
default-src. Seems like a bug to me.

On 2/2/12 2:14 PM, Adam Barth wrote:
> dveditz,
> 
> Do you know how Firefox handles this kind of resource currently?
> 
> Adam
> 
> 
> 2012/2/1 Renata Hodovan <hodovan@inf.u-szeged.hu>:
>> Hi All,
>>
>> my name is Renata Hodovan and I work on WebKit. I'd like to add external
>> resource support to SVGUseElement. During this I faced a problem. We should
>> rate this new resource under a Content-Security-Policy directive. So the
>> question is which one should it belong to? Currently I added it to the image
>> directive. Is it right?
>> You can find the bug here: https://bugs.webkit.org/show_bug.cgi?id=12499
>>
>> Thanks in advance,
>> Reni
>>
> 
Received on Friday, 10 February 2012 08:45:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 10 February 2012 08:45:06 GMT