- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sun, 09 Nov 2014 16:34:08 -0800
- To: Brian Smith <brian@briansmith.org>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/9/2014 3:26 PM, Brian Smith wrote: > On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote: >> It seems reasonable to me to use image-src for that. > > Also, even if image-src is not appropriate, then shouldn't default-src > cover everything else unless explicitly stated otherwise? Stopping exfiltration of data has not been a goal of CSP. We don't prevent navigations, for example. Either we consider this part of the covered document, in which case it's an image, or we consider it external to the protected resource and not covered by CSP. Using default-src (except as an image-src fallback) is not appropriate in either case. I could see it going either way but whichever way we should document it somewhere, either in CSP or in the Notification standard. -Dan Veditz
Received on Monday, 10 November 2014 00:34:39 UTC