Re: Remove paths from CSP?

On Wed, Feb 12, 2014 at 8:02 AM, Sigbjørn Vik <> wrote:

> That should be fairly easy. Even if blocked, call onload, and return the
>  image dimensions to the page. That is all a page can detect anyway.

An issue to consider with this approach is a CSRF attack vector. For
example if I have Content-Security-Policy: img-src '';
and the attacker injects the following:

<img src=""

CSP would have prevented it, but if you load blocked resources the CSRF
attack would still be successful.

Pete Freitag - CSP Quick Reference

Received on Wednesday, 12 February 2014 16:19:32 UTC