W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

[CSP] enforcement on non text-html resources

From: Neil Matatall <neilm@twitter.com>
Date: Wed, 4 Jun 2014 09:29:54 -0700
Message-ID: <CAOFLtbiNBDWZpKT7QQKxw70OjLTA9iidevPtzOW72fHddLKYDA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I came across a feature of Chrome in which an image/gif resource gets
wrapped in some browser-provided html. This, in combination with CSP
being applied to the image response, created a large number of CSP
violations. This does not repro on Firefox.

Does the spec say anything about CSPs relationship with non-text/html
resources? I did not expect the html to be added, but I also did not
expect CSP to be applied.

I've already put up a patch to stop applying CSP to this resource. Was
that the right thing to do?

Mike and I are chatting on the chromium bug tracker[1]. What say you?

[1] https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Pri%20M%20Iteration%20ReleaseBlock%20Cr%20Status%20Owner%20Summary%20OS%20Modified&groupby=&sort=&id=380398
Received on Wednesday, 4 June 2014 16:30:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC