Re: CSP & data URIs from Yoav Weiss on 2013-01-10 (public-webappsec@w3.org from January 2013)

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 10 Jan 2013 16:33:54 +0100
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACj=BEjr9CJgDaB5S6iZ6hZJhpwBCiqVOze_BwwCps=mpzvP4Q@mail.gmail.com>

OK, my mistake.
In that case, I understand that enabling "img-src data:" in CSP can be
recommended as part of a Web performance best practice.

On Thu, Jan 10, 2013 at 4:02 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 1/10/13 9:44 AM, Yoav Weiss wrote:
>
>> It seems that at least in some browsers, img data URIs are XSS
>> exploitable[1][2].
>>
>
> Uh.... no.  They're not.  What made you think they are, exactly?  The
> links you point to certainly say nothing of the sort.
>
> -Boris
>
>

Received on Thursday, 10 January 2013 15:34:21 UTC