Re: Should CSP affect a Notification icon?

Daniel Veditz <> wrote:
> The Web Notification feature (
> allows pages to specify a desktop notification, and an optional part of
> that spec is an Icon URL. This image URL is specified in a page, but the
> image load is not included in the page. Should CSP's image-src directive
> affect the Notification icon?

For a secure page, it should be possible to
specify, in its CSP policy, that only HTTPS resources are to be loaded
from In particular, there should be a way to ensure that
/FAVICON.ICO and that notification icon are never loaded from the
non-secure It seems reasonable to me to use
image-src for that.

> Currently in Firefox it does not: the image load is not part of the
> document (or ServiceWorker). We've received a complaint from someone who
> thought it ought to. Thoughts?

Note that CSP can be used to reduce the chance of HTTP auth
credentials and cookies from being leaked over cleartext protocols, so
such loads should probably be amonymous (LOAD_ANONYMOUS in Gecko
speak) if they aren't protected by CSP, and maybe even should be
anonymous even if they are protected by CSP.


Received on Sunday, 9 November 2014 23:25:38 UTC