W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [webappsec] CSP 1.0 bug? button type=image and img-src

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 23 Apr 2013 15:04:45 -0700
Message-ID: <CAJE5ia_sm-qoLCbFTBQVxnsYs6smOLvMGnVnj0R=7peo9QXr2Q@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
We should try to find a way editorially to avoid having to enumerate all
the different ways user agents can load images.  We're unlikely to be able
to list them all, and it will make the spec fragile as the platform evolves.

Adam


On Tue, Apr 23, 2013 at 2:18 PM, Hill, Brad <bhill@paypal-inc.com> wrote:

> We are also missing the "lowsrc" attribute of img in that directive
> description.
>
> > -----Original Message-----
> > From: Hill, Brad [mailto:bhill@paypal-inc.com]
> > Sent: Tuesday, April 23, 2013 2:11 PM
> > To: public-webappsec@w3.org
> > Subject: [webappsec] CSP 1.0 bug? button type=image and img-src
> >
> > While writing test assertions I noticed that the spec text for CSP 1.0
> does not
> > explicitly include the src attribute of a button element of type image
> in the
> > list of fetches controlled by the img-src directive.  Should we correct
> this?
> >
> > -Brad
>
>
>
Received on Tuesday, 23 April 2013 22:05:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC