- From: Jim Manico <jim.manico@owasp.org>
- Date: Mon, 10 Nov 2014 08:40:13 +0800
- To: Daniel Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
This is a bit tangential, but for future versions of the standard, I'd love to be able to limit where simple links are allowed to go. For example, perhaps I want to limit a site from only being allow to link to my domain or subdomain. I'm just thinking, what else can we limit in the browser to lower the attack surface? I am not as deep into this work as all of you are, forgive me if this was an ignorant request. Aloha, Jim On 11/10/14 8:34 AM, Daniel Veditz wrote: > On 11/9/2014 3:26 PM, Brian Smith wrote: >> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote: >>> It seems reasonable to me to use image-src for that. >> Also, even if image-src is not appropriate, then shouldn't default-src >> cover everything else unless explicitly stated otherwise? > Stopping exfiltration of data has not been a goal of CSP. We don't > prevent navigations, for example. Either we consider this part of the > covered document, in which case it's an image, or we consider it > external to the protected resource and not covered by CSP. Using > default-src (except as an image-src fallback) is not appropriate in > either case. > > I could see it going either way but whichever way we should document it > somewhere, either in CSP or in the Notification standard. > > -Dan Veditz >
Received on Monday, 10 November 2014 00:40:46 UTC