Re: [webappsec] CSP 1.0 bug? button type=image and img-src from Adam Barth on 2013-04-23 (public-webappsec@w3.org from April 2013)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 23 Apr 2013 15:04:45 -0700
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia_sm-qoLCbFTBQVxnsYs6smOLvMGnVnj0R=7peo9QXr2Q@mail.gmail.com>

We should try to find a way editorially to avoid having to enumerate all
the different ways user agents can load images.  We're unlikely to be able
to list them all, and it will make the spec fragile as the platform evolves.

Adam

On Tue, Apr 23, 2013 at 2:18 PM, Hill, Brad <bhill@paypal-inc.com> wrote:

> We are also missing the "lowsrc" attribute of img in that directive
> description.
>
> > -----Original Message-----
> > From: Hill, Brad [mailto:bhill@paypal-inc.com]
> > Sent: Tuesday, April 23, 2013 2:11 PM
> > To: public-webappsec@w3.org
> > Subject: [webappsec] CSP 1.0 bug? button type=image and img-src
> >
> > While writing test assertions I noticed that the spec text for CSP 1.0
> does not
> > explicitly include the src attribute of a button element of type image
> in the
> > list of fetches controlled by the img-src directive.  Should we correct
> this?
> >
> > -Brad
>
>
>

Received on Tuesday, 23 April 2013 22:05:44 UTC