If we want 'img-src' to restrict a page's ability to reference a GIF, then that restriction should apply regardless of whether the GIF is pulled in via <img> directly or indirectly. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Apr 23, 2014 at 2:29 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Apr 23, 2014 at 2:22 PM, Mike West <mkwst@google.com> wrote: > > This is especially relevant for scripting restrictions; I believe script > > executes in an SVG document in the same execution context as the document > > the SVG was included in. Given that, we'd certainly want to ensure that > the > > _page's_ 'script-src' directive applied. > > Well, SVG-as-image should not execute script to begin with. Part of > the problem here is that the SVG-as-image concept is not very well > defined. Given that SVG-as-image resources are already meant to be > "safe" (no more dangerous than referencing a GIF) I do not see any > reason why CSP would be applicable to it. > > > -- > http://annevankesteren.nl/ >
Received on Wednesday, 23 April 2014 12:32:50 UTC