- From: Brian Smith <brian@briansmith.org>
- Date: Sun, 9 Nov 2014 15:25:11 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Daniel Veditz <dveditz@mozilla.com> wrote: > The Web Notification feature (http://www.w3.org/TR/notifications/) > allows pages to specify a desktop notification, and an optional part of > that spec is an Icon URL. This image URL is specified in a page, but the > image load is not included in the page. Should CSP's image-src directive > affect the Notification icon? For a secure page https://example.com/, it should be possible to specify, in its CSP policy, that only HTTPS resources are to be loaded from example.com. In particular, there should be a way to ensure that /FAVICON.ICO and that notification icon are never loaded from the non-secure http://example.com/. It seems reasonable to me to use image-src for that. > Currently in Firefox it does not: the image load is not part of the > document (or ServiceWorker). We've received a complaint from someone who > thought it ought to. Thoughts? Note that CSP can be used to reduce the chance of HTTP auth credentials and cookies from being leaked over cleartext protocols, so such loads should probably be amonymous (LOAD_ANONYMOUS in Gecko speak) if they aren't protected by CSP, and maybe even should be anonymous even if they are protected by CSP. Cheers, Brian
Received on Sunday, 9 November 2014 23:25:38 UTC