On Fri, Feb 14, 2014 at 2:02 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> Are there alternative where we can have both the CSP security
> improvements and avoid the "hole" altogether, or minimize the damage?
>
If the browser sent a header which included the element name (img, frame,
style, script, etc) that triggered the request, that may minimize the
concern for some cases, eg:
X-Requested-With: img
That way resources that are not legitimately requested via an img tag for
example can block/ignore the request.
--
Pete Freitag