- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 11 Jan 2013 01:43:43 -0800
- To: Yoav Weiss <yoav@yoav.ws>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 11, 2013 at 1:30 AM, Yoav Weiss <yoav@yoav.ws> wrote: > Does it pose a risk besides the obvious defacement risk? > I guess that a malicious image can also exploit a decoder bug, but I'm not > certain that's a real life threat (with sandboxing, etc). It's mostly the defacement issue. > Would you consider this risk high enough to include a nonce-like mechanism > for image data URIs? It would be a shame if Web developers have to choose > between performance and security. Probably not. Adam > On Fri, Jan 11, 2013 at 10:18 AM, Adam Barth <w3c@adambarth.com> wrote: >> >> Keep in mind that an attacker who can inject an <img> tag into your >> site can use a data URL to display whatever image he or she likes. >> Adding data: as a src does increase the risk from an XSS attack. >> >> Adam >> >> >> On Thu, Jan 10, 2013 at 7:33 AM, Yoav Weiss <yoav@yoav.ws> wrote: >> > OK, my mistake. >> > In that case, I understand that enabling "img-src data:" in CSP can be >> > recommended as part of a Web performance best practice. >> > >> > >> > On Thu, Jan 10, 2013 at 4:02 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >> >> >> >> On 1/10/13 9:44 AM, Yoav Weiss wrote: >> >>> >> >>> It seems that at least in some browsers, img data URIs are XSS >> >>> exploitable[1][2]. >> >> >> >> >> >> Uh.... no. They're not. What made you think they are, exactly? The >> >> links you point to certainly say nothing of the sort. >> >> >> >> -Boris >> >> >> > > >
Received on Friday, 11 January 2013 09:44:44 UTC