W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

CSP & data URIs

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 10 Jan 2013 15:44:12 +0100
Message-ID: <CACj=BEiW5f1VDkDg6Zz3m8Jsu+t_o__bpkJCfHAdMTyJ5acJeg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Data URIs are a common Web performance best practice. They are commonly
used, especially to avoid extra HTTP requests in order to fetch small
images, both as <img> tag and as background images.

I'm wondering what are the security risks in adding a "img-src data:"
directive to a CSP policy.
It seems that at least in some browsers, img data URIs are XSS

If that is in fact the case, is it possible to introduce a mechanism
similar to "script-nonce" to enable developers authorize some img data
URIs, for performance purposes, while avoiding global data URI
authorization that can be exploited?


[2] https://bugzilla.mozilla.org/show_bug.cgi?id=255107
Received on Thursday, 10 January 2013 14:44:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC