Re: Should CSP affect a Notification icon?

This is a bit tangential, but for future versions of the standard, I'd 
love to be able to limit where simple links are allowed to go. For 
example, perhaps I want to limit a site from only being allow to link to 
my domain or subdomain. I'm just thinking, what else can we limit in the 
browser to lower the attack surface?

I am not as deep into this work as all of you are, forgive me if this 
was an ignorant request.

Aloha,
Jim

On 11/10/14 8:34 AM, Daniel Veditz wrote:
> On 11/9/2014 3:26 PM, Brian Smith wrote:
>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote:
>>> It seems reasonable to me to use image-src for that.
>> Also, even if image-src is not appropriate, then shouldn't default-src
>> cover everything else unless explicitly stated otherwise?
> Stopping exfiltration of data has not been a goal of CSP. We don't
> prevent navigations, for example. Either we consider this part of the
> covered document, in which case it's an image, or we consider it
> external to the protected resource and not covered by CSP. Using
> default-src (except as an image-src fallback) is not appropriate in
> either case.
>
> I could see it going either way but whichever way we should document it
> somewhere, either in CSP or in the Notification standard.
>
> -Dan Veditz
>

Received on Monday, 10 November 2014 00:40:46 UTC