W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Should CSP affect a Notification icon?

From: Jim Manico <jim.manico@owasp.org>
Date: Mon, 10 Nov 2014 08:40:13 +0800
Message-ID: <5460096D.8010905@owasp.org>
To: Daniel Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
This is a bit tangential, but for future versions of the standard, I'd 
love to be able to limit where simple links are allowed to go. For 
example, perhaps I want to limit a site from only being allow to link to 
my domain or subdomain. I'm just thinking, what else can we limit in the 
browser to lower the attack surface?

I am not as deep into this work as all of you are, forgive me if this 
was an ignorant request.

Aloha,
Jim

On 11/10/14 8:34 AM, Daniel Veditz wrote:
> On 11/9/2014 3:26 PM, Brian Smith wrote:
>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote:
>>> It seems reasonable to me to use image-src for that.
>> Also, even if image-src is not appropriate, then shouldn't default-src
>> cover everything else unless explicitly stated otherwise?
> Stopping exfiltration of data has not been a goal of CSP. We don't
> prevent navigations, for example. Either we consider this part of the
> covered document, in which case it's an image, or we consider it
> external to the protected resource and not covered by CSP. Using
> default-src (except as an image-src fallback) is not appropriate in
> either case.
>
> I could see it going either way but whichever way we should document it
> somewhere, either in CSP or in the Notification standard.
>
> -Dan Veditz
>
Received on Monday, 10 November 2014 00:40:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC