On 11/9/2014 3:26 PM, Brian Smith wrote: > On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote: >> It seems reasonable to me to use image-src for that. > > Also, even if image-src is not appropriate, then shouldn't default-src > cover everything else unless explicitly stated otherwise? Stopping exfiltration of data has not been a goal of CSP. We don't prevent navigations, for example. Either we consider this part of the covered document, in which case it's an image, or we consider it external to the protected resource and not covered by CSP. Using default-src (except as an image-src fallback) is not appropriate in either case. I could see it going either way but whichever way we should document it somewhere, either in CSP or in the Notification standard. -Dan VeditzReceived on Monday, 10 November 2014 00:34:39 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC