W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Should CSP affect a Notification icon?

From: Brian Smith <brian@briansmith.org>
Date: Sun, 9 Nov 2014 15:25:11 -0800
Message-ID: <CAFewVt5zTNKrxvJ-ozH65XxZBd+s6shZdnLHVm+GU_cGZCmWLw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Daniel Veditz <dveditz@mozilla.com> wrote:
> The Web Notification feature (http://www.w3.org/TR/notifications/)
> allows pages to specify a desktop notification, and an optional part of
> that spec is an Icon URL. This image URL is specified in a page, but the
> image load is not included in the page. Should CSP's image-src directive
> affect the Notification icon?

For a secure page https://example.com/, it should be possible to
specify, in its CSP policy, that only HTTPS resources are to be loaded
from example.com. In particular, there should be a way to ensure that
/FAVICON.ICO and that notification icon are never loaded from the
non-secure http://example.com/. It seems reasonable to me to use
image-src for that.

> Currently in Firefox it does not: the image load is not part of the
> document (or ServiceWorker). We've received a complaint from someone who
> thought it ought to. Thoughts?

Note that CSP can be used to reduce the chance of HTTP auth
credentials and cookies from being leaked over cleartext protocols, so
such loads should probably be amonymous (LOAD_ANONYMOUS in Gecko
speak) if they aren't protected by CSP, and maybe even should be
anonymous even if they are protected by CSP.

Cheers,
Brian
Received on Sunday, 9 November 2014 23:25:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC