- From: Neil Matatall <neilm@twitter.com>
- Date: Wed, 4 Jun 2014 09:29:54 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I came across a feature of Chrome in which an image/gif resource gets wrapped in some browser-provided html. This, in combination with CSP being applied to the image response, created a large number of CSP violations. This does not repro on Firefox. Does the spec say anything about CSPs relationship with non-text/html resources? I did not expect the html to be added, but I also did not expect CSP to be applied. I've already put up a patch to stop applying CSP to this resource. Was that the right thing to do? Mike and I are chatting on the chromium bug tracker[1]. What say you? [1] https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Pri%20M%20Iteration%20ReleaseBlock%20Cr%20Status%20Owner%20Summary%20OS%20Modified&groupby=&sort=&id=380398
Received on Wednesday, 4 June 2014 16:30:23 UTC