- From: Brian Smith <brian@briansmith.org>
- Date: Sun, 9 Nov 2014 18:45:30 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Daniel Veditz <dveditz@mozilla.com> wrote: > On 11/9/2014 3:26 PM, Brian Smith wrote: >> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote: >>> It seems reasonable to me to use image-src for that. >> >> Also, even if image-src is not appropriate, then shouldn't default-src >> cover everything else unless explicitly stated otherwise? > > Stopping exfiltration of data has not been a goal of CSP. I think it is a goal of users of CSP, and it seems reasonable to make at least some forms of exfiltration prevention a goal of CSP. > We don't prevent navigations, for example. I think this is something to consider adding, at least to help for the "ensure my site is 100% HTTPS" use age. > I could see it going either way but whichever way we should document it > somewhere, either in CSP or in the Notification standard. More generally, as people add stuff to the (WHATWG) HTML Standard, they need a way of specifying how CSP works for it, and/or a way to define new CSP directives for that stuff, without waiting for a new level of CSP to go through standardization at W3C. Cheers, Brian
Received on Monday, 10 November 2014 02:45:57 UTC