- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 5 Mar 2013 16:48:43 -0800
- To: Neil Matatall <neilm@twitter.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I'm not sure if you got an answer to your question, so I'll attempt one now. If I was using data URLs in images on my site, I would feel comfortable whitelisting img-src data:. If I wasn't using data URLs in images on my site, I would be (slightly) sad if the browser automatically whitelisted them for me because it's attack surface I don't need. At a more meta level, CSP is already pretty complicated to understand. We might be able to get away with whitelisting data URLs for images, but doing that would add more complexity to the feature because it would introduce differences between, say, img-src and font-src. IMHO, we're better off with a policy language that's simpler even if it requires that folks who are using data URLs need to whitelist them themselves. Adam On Tue, Feb 5, 2013 at 12:04 PM, Neil Matatall <neilm@twitter.com> wrote: > Somewhat related, whitelist img-src data: uris by default? Are there > any attacks on this? > > On Tue, Feb 5, 2013 at 8:02 AM, Mike West <mkwst@google.com> wrote: >> This makes sense to me. I'd suggest doing the same for filesystem: and blob: >> URLs. >> >> If there are no objections, I'll add something to the spec. >> >> -mike >> >> -- >> Mike West <mkwst@google.com>, Developer Advocate >> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany >> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 >> >> >> On Tue, Feb 5, 2013 at 4:40 PM, Neil Matatall <neilm@twitter.com> wrote: >>> >>> Hello all, >>> >>> I was taking a look at our reports and noticed a significant number of >>> reports without a blocked-uri value. We tracked it down to two >>> (possibly more) culprits: >>> >>> data: uris in images >>> javascript: uris in hrefs >>> >>> I think the protocol would be enough information in this case. >>> >> >
Received on Wednesday, 6 March 2013 00:49:43 UTC