W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [CSP] enforcement on non text-html resources

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 5 Jun 2014 08:26:49 +0200
Message-ID: <CADnb78hbQGL+3UhrTuZKm+0BUr2m-u0FAtntUSKBpdJoWuKwSA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Neil Matatall <neilm@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org> 
On Thu, Jun 5, 2014 at 8:17 AM, Mike West <mkwst@google.com> wrote:
> I'm now reconsidering. I don't particularly like the idea that authors could
> block direct navigation to an image by sending `img-src 'none'` along with
> all image resources.

You'd have to special case the scenario. You can check
http://dom.spec.whatwg.org/#concept-document-content-type for
instance. Not sure what would be best here, might want to ask Ian.


-- 
http://annevankesteren.nl/
Received on Thursday, 5 June 2014 06:27:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC