Re: CSP & data URIs from Adam Barth on 2013-01-11 (public-webappsec@w3.org from January 2013)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 11 Jan 2013 01:18:08 -0800
To: Yoav Weiss <yoav@yoav.ws>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia_rM5uL-VzJ0poz+ib-qV2FiDv1duD18XRHtYVngQkOsg@mail.gmail.com>

Keep in mind that an attacker who can inject an <img> tag into your
site can use a data URL to display whatever image he or she likes.
Adding data: as a src does increase the risk from an XSS attack.

Adam


On Thu, Jan 10, 2013 at 7:33 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> OK, my mistake.
> In that case, I understand that enabling "img-src data:" in CSP can be
> recommended as part of a Web performance best practice.
>
>
> On Thu, Jan 10, 2013 at 4:02 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>>
>> On 1/10/13 9:44 AM, Yoav Weiss wrote:
>>>
>>> It seems that at least in some browsers, img data URIs are XSS
>>> exploitable[1][2].
>>
>>
>> Uh.... no.  They're not.  What made you think they are, exactly?  The
>> links you point to certainly say nothing of the sort.
>>
>> -Boris
>>
>

Received on Friday, 11 January 2013 09:19:08 UTC