- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Sun, 09 Nov 2014 18:58:53 -0800
- To: Brian Smith <brian@briansmith.org>, Daniel Veditz <dveditz@mozilla.com>
- Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>
Brian Smith <brian@briansmith.org> writes: > Daniel Veditz <dveditz@mozilla.com> wrote: >> On 11/9/2014 3:26 PM, Brian Smith wrote: >>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote: >>>> It seems reasonable to me to use image-src for that. >>> >>> Also, even if image-src is not appropriate, then shouldn't default-src >>> cover everything else unless explicitly stated otherwise? >> >> Stopping exfiltration of data has not been a goal of CSP. > > I think it is a goal of users of CSP, and it seems reasonable to make > at least some forms of exfiltration prevention a goal of CSP. > >> We don't prevent navigations, for example. > > I think this is something to consider adding, at least to help for the > "ensure my site is 100% HTTPS" use age. > >> I could see it going either way but whichever way we should document it >> somewhere, either in CSP or in the Notification standard. > > More generally, as people add stuff to the (WHATWG) HTML Standard, > they need a way of specifying how CSP works for it, and/or a way to > define new CSP directives for that stuff, without waiting for a new > level of CSP to go through standardization at W3C. I support Brian's points. The navigation -- at least in the context of iframes -- was also raised here: https://www.w3.org/2011/webappsec/track/issues/69 Best, Deian
Received on Monday, 10 November 2014 02:59:20 UTC