CSP & data URIs from Yoav Weiss on 2013-01-10 (public-webappsec@w3.org from January 2013)

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 10 Jan 2013 15:44:12 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACj=BEiW5f1VDkDg6Zz3m8Jsu+t_o__bpkJCfHAdMTyJ5acJeg@mail.gmail.com>

Data URIs are a common Web performance best practice. They are commonly
used, especially to avoid extra HTTP requests in order to fetch small
images, both as <img> tag and as background images.

I'm wondering what are the security risks in adding a "img-src data:"
directive to a CSP policy.
It seems that at least in some browsers, img data URIs are XSS
exploitable[1][2].

If that is in fact the case, is it possible to introduce a mechanism
similar to "script-nonce" to enable developers authorize some img data
URIs, for performance purposes, while avoiding global data URI
authorization that can be exploited?

Thanks,
Yoav

[1]
http://stackoverflow.com/questions/11228771/are-data-uris-on-imgs-xss-exploitable<http://stackoverflow.com/questions/11228771/are-data-uris-on-imgs-xss-exploitable>
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=255107

Received on Thursday, 10 January 2013 14:44:40 UTC