- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 28 Jul 2014 19:28:07 +0200
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 28, 2014 at 7:20 PM, Brad Hill <hillbrad@gmail.com> wrote: > But is it logically different from a data: url that is restricted by CSP? Yes. Very much so. > If the goal of setting an img-src directive in CSP is to protect > against injection attacks adding unwanted image content to your page, > isn't inline SVG the perfect bypass of the logical intent of that > policy? Injecting <svg> elements is no different from injecting <div> elements. img-src is not about not showing images (e.g. it does not disable <canvas>), it's about restricting where images can be fetched from. -- http://annevankesteren.nl/
Received on Monday, 28 July 2014 17:28:38 UTC