- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Fri, 28 Feb 2014 11:49:25 +0100
- To: "Oda, Terri" <terri.oda@intel.com>
- CC: Michal Zalewski <lcamtuf@coredump.cx>, Mike West <mkwst@google.com>, Dan Veditz <dveditz@mozilla.com>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 28-Feb-14 01:52, Oda, Terri wrote: > Static resources such as images and scripts don't need login protection, > and can be served identically to logged-in and not logged-in users. > > What about a stock photography site that only wants to provide access to > high resolution, watermark-free images to those who have paid for them? > What about a games site that only allows logged in users access to > their javascript games? > > It may be true in many cases that images and scripts don't need login > protection, but I don't think it's true in all cases. Agreed. My point is that it is true in many cases, and that in such cases, CSP may enable a security hole on an otherwise secure site. -- Sigbjørn Vik Opera Software
Received on Friday, 28 February 2014 10:49:56 UTC