- From: Neil Matatall <neilm@twitter.com>
- Date: Tue, 5 Feb 2013 12:04:59 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Somewhat related, whitelist img-src data: uris by default? Are there any attacks on this? On Tue, Feb 5, 2013 at 8:02 AM, Mike West <mkwst@google.com> wrote: > This makes sense to me. I'd suggest doing the same for filesystem: and blob: > URLs. > > If there are no objections, I'll add something to the spec. > > -mike > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > > On Tue, Feb 5, 2013 at 4:40 PM, Neil Matatall <neilm@twitter.com> wrote: >> >> Hello all, >> >> I was taking a look at our reports and noticed a significant number of >> reports without a blocked-uri value. We tracked it down to two >> (possibly more) culprits: >> >> data: uris in images >> javascript: uris in hrefs >> >> I think the protocol would be enough information in this case. >> >
Received on Tuesday, 5 February 2013 20:05:29 UTC