W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

CSP & data URIs

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 10 Jan 2013 15:44:12 +0100
Message-ID: <CACj=BEiW5f1VDkDg6Zz3m8Jsu+t_o__bpkJCfHAdMTyJ5acJeg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Data URIs are a common Web performance best practice. They are commonly
used, especially to avoid extra HTTP requests in order to fetch small
images, both as <img> tag and as background images.

I'm wondering what are the security risks in adding a "img-src data:"
directive to a CSP policy.
It seems that at least in some browsers, img data URIs are XSS
exploitable[1][2].

If that is in fact the case, is it possible to introduce a mechanism
similar to "script-nonce" to enable developers authorize some img data
URIs, for performance purposes, while avoiding global data URI
authorization that can be exploited?

Thanks,
Yoav

[1]
http://stackoverflow.com/questions/11228771/are-data-uris-on-imgs-xss-exploitable<http://stackoverflow.com/questions/11228771/are-data-uris-on-imgs-xss-exploitable>
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=255107
Received on Thursday, 10 January 2013 14:44:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 January 2013 14:44:41 GMT