W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Should CSP affect a Notification icon?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 09 Nov 2014 16:34:08 -0800
Message-ID: <54600800.7010309@mozilla.com>
To: Brian Smith <brian@briansmith.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/9/2014 3:26 PM, Brian Smith wrote:
> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote:
>> It seems reasonable to me to use image-src for that.
> 
> Also, even if image-src is not appropriate, then shouldn't default-src
> cover everything else unless explicitly stated otherwise?

Stopping exfiltration of data has not been a goal of CSP. We don't
prevent navigations, for example. Either we consider this part of the
covered document, in which case it's an image, or we consider it
external to the protected resource and not covered by CSP. Using
default-src (except as an image-src fallback) is not appropriate in
either case.

I could see it going either way but whichever way we should document it
somewhere, either in CSP or in the Notification standard.

-Dan Veditz
Received on Monday, 10 November 2014 00:34:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC