W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [CSP] enforcement on non text-html resources

From: Mike West <mkwst@google.com>
Date: Thu, 5 Jun 2014 08:17:48 +0200
Message-ID: <CAKXHy=dbptK7MJZ8o=Cg0qD9sh37v-nXJaK1NQj5OoH3oJ3DLQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Neil Matatall <neilm@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
That's more or less what I suggested on the bug.

I'm now reconsidering. I don't particularly like the idea that authors
could block direct navigation to an image by sending `img-src 'none'` along
with all image resources.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Jun 4, 2014 at 6:37 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jun 4, 2014 at 6:29 PM, Neil Matatall <neilm@twitter.com> wrote:
> > I've already put up a patch to stop applying CSP to this resource. Was
> > that the right thing to do?
>
> Per the HTML Standard a document is to be created if such resources
> are loaded in a browsing context. CSP should apply to that.
>
>
> --
> http://annevankesteren.nl/
>
>
Received on Thursday, 5 June 2014 06:18:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC