W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [webappsec] CSP 1.0 bug? button type=image and img-src

From: Yoav Weiss <yoav@yoav.ws>
Date: Wed, 24 Apr 2013 16:22:17 +0200
Message-ID: <CACj=BEh8cL87qY3D4OW9S9AStEmXWCerGc5A9QFOsyDOBmYByQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Adam Barth <w3c@adambarth.com>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
There's also <video>'s 'poster' attribute, which I don't think is covered.
Another future addition to this list may be <picture>, which (at least as
currently specced) can have an "src" attribute on the element itself, and
both "src" and "srcset" attributes on child <source> elements that may
trigger an image download.

As Adam said, a way to say "all image resources" would be much more
resilient to future additions.


On Wed, Apr 24, 2013 at 12:28 PM, Anne van Kesteren <annevk@annevk.nl>wrote:

> On Tue, Apr 23, 2013 at 11:04 PM, Adam Barth <w3c@adambarth.com> wrote:
> > We should try to find a way editorially to avoid having to enumerate all
> the
> > different ways user agents can load images.  We're unlikely to be able to
> > list them all, and it will make the spec fragile as the platform evolves.
>
> Should we make these "types" (media, image, etc.) part of what
> specifications define when they perform a
> http://fetch.spec.whatwg.org/ ? That way we have a nice way to hook in
> the CSP check there.
>
> Also, lowsrc is not supported by user agents and should not be
> included. You might want to list srcset though.
>
>
> --
> http://annevankesteren.nl/
>
>
Received on Wednesday, 24 April 2013 14:22:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC