Re: Should CSP affect a Notification icon?

Daniel Veditz <dveditz@mozilla.com> wrote:
> On 11/9/2014 3:26 PM, Brian Smith wrote:
>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote:
>>> It seems reasonable to me to use image-src for that.
>>
>> Also, even if image-src is not appropriate, then shouldn't default-src
>> cover everything else unless explicitly stated otherwise?
>
> Stopping exfiltration of data has not been a goal of CSP.

I think it is a goal of users of CSP, and it seems reasonable to make
at least some forms of exfiltration prevention a goal of CSP.

> We don't prevent navigations, for example.

I think this is something to consider adding, at least to help for the
"ensure my site is 100% HTTPS" use age.

> I could see it going either way but whichever way we should document it
> somewhere, either in CSP or in the Notification standard.

More generally, as people add stuff to the (WHATWG) HTML Standard,
they need a way of specifying how CSP works for it, and/or a way to
define new CSP directives for that stuff, without waiting for a new
level of CSP to go through standardization at W3C.

Cheers,
Brian

Received on Monday, 10 November 2014 02:45:57 UTC