- From: Yoav Weiss <yoav@yoav.ws>
- Date: Fri, 11 Jan 2013 10:30:26 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 11 January 2013 09:30:54 UTC
Does it pose a risk besides the obvious defacement risk? I guess that a malicious image can also exploit a decoder bug, but I'm not certain that's a real life threat (with sandboxing, etc). Would you consider this risk high enough to include a nonce-like mechanism for image data URIs? It would be a shame if Web developers have to choose between performance and security. Thanks, Yoav On Fri, Jan 11, 2013 at 10:18 AM, Adam Barth <w3c@adambarth.com> wrote: > Keep in mind that an attacker who can inject an <img> tag into your > site can use a data URL to display whatever image he or she likes. > Adding data: as a src does increase the risk from an XSS attack. > > Adam > > > On Thu, Jan 10, 2013 at 7:33 AM, Yoav Weiss <yoav@yoav.ws> wrote: > > OK, my mistake. > > In that case, I understand that enabling "img-src data:" in CSP can be > > recommended as part of a Web performance best practice. > > > > > > On Thu, Jan 10, 2013 at 4:02 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > >> > >> On 1/10/13 9:44 AM, Yoav Weiss wrote: > >>> > >>> It seems that at least in some browsers, img data URIs are XSS > >>> exploitable[1][2]. > >> > >> > >> Uh.... no. They're not. What made you think they are, exactly? The > >> links you point to certainly say nothing of the sort. > >> > >> -Boris > >> > > >
Received on Friday, 11 January 2013 09:30:54 UTC