W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [webappsec] CSP 1.0 bug? button type=image and img-src

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 24 Apr 2013 11:28:20 +0100
Message-ID: <CADnb78iz9jV9PncW1vH4HX6PQaU0KzejZhBLm7uKZG+gckSYtg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 23, 2013 at 11:04 PM, Adam Barth <w3c@adambarth.com> wrote:
> We should try to find a way editorially to avoid having to enumerate all the
> different ways user agents can load images.  We're unlikely to be able to
> list them all, and it will make the spec fragile as the platform evolves.

Should we make these "types" (media, image, etc.) part of what
specifications define when they perform a
http://fetch.spec.whatwg.org/ ? That way we have a nice way to hook in
the CSP check there.

Also, lowsrc is not supported by user agents and should not be
included. You might want to list srcset though.

Received on Wednesday, 24 April 2013 10:28:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC