W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP & data URIs

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 10 Jan 2013 16:33:54 +0100
Message-ID: <CACj=BEjr9CJgDaB5S6iZ6hZJhpwBCiqVOze_BwwCps=mpzvP4Q@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
OK, my mistake.
In that case, I understand that enabling "img-src data:" in CSP can be
recommended as part of a Web performance best practice.


On Thu, Jan 10, 2013 at 4:02 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 1/10/13 9:44 AM, Yoav Weiss wrote:
>
>> It seems that at least in some browsers, img data URIs are XSS
>> exploitable[1][2].
>>
>
> Uh.... no.  They're not.  What made you think they are, exactly?  The
> links you point to certainly say nothing of the sort.
>
> -Boris
>
>
Received on Thursday, 10 January 2013 15:34:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 January 2013 15:34:22 GMT