W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Should CSP affect a Notification icon?

From: Brian Smith <brian@briansmith.org>
Date: Sun, 9 Nov 2014 18:45:30 -0800
Message-ID: <CAFewVt5CZSei1G-5O8DnN5V2a=3A8HnxXmFJ0HcGuA=v=KDc8Q@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Daniel Veditz <dveditz@mozilla.com> wrote:
> On 11/9/2014 3:26 PM, Brian Smith wrote:
>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote:
>>> It seems reasonable to me to use image-src for that.
>>
>> Also, even if image-src is not appropriate, then shouldn't default-src
>> cover everything else unless explicitly stated otherwise?
>
> Stopping exfiltration of data has not been a goal of CSP.

I think it is a goal of users of CSP, and it seems reasonable to make
at least some forms of exfiltration prevention a goal of CSP.

> We don't prevent navigations, for example.

I think this is something to consider adding, at least to help for the
"ensure my site is 100% HTTPS" use age.

> I could see it going either way but whichever way we should document it
> somewhere, either in CSP or in the Notification standard.

More generally, as people add stuff to the (WHATWG) HTML Standard,
they need a way of specifying how CSP works for it, and/or a way to
define new CSP directives for that stuff, without waiting for a new
level of CSP to go through standardization at W3C.

Cheers,
Brian
Received on Monday, 10 November 2014 02:45:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC