Re: Should CSP affect a Notification icon?

On 11/9/2014 3:26 PM, Brian Smith wrote:
> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote:
>> It seems reasonable to me to use image-src for that.
> 
> Also, even if image-src is not appropriate, then shouldn't default-src
> cover everything else unless explicitly stated otherwise?

Stopping exfiltration of data has not been a goal of CSP. We don't
prevent navigations, for example. Either we consider this part of the
covered document, in which case it's an image, or we consider it
external to the protected resource and not covered by CSP. Using
default-src (except as an image-src fallback) is not appropriate in
either case.

I could see it going either way but whichever way we should document it
somewhere, either in CSP or in the Notification standard.

-Dan Veditz

Received on Monday, 10 November 2014 00:34:39 UTC