Re: Should CSP affect a Notification icon?

Brian Smith <> writes:

> Daniel Veditz <> wrote:
>> On 11/9/2014 3:26 PM, Brian Smith wrote:
>>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <> wrote:
>>>> It seems reasonable to me to use image-src for that.
>>> Also, even if image-src is not appropriate, then shouldn't default-src
>>> cover everything else unless explicitly stated otherwise?
>> Stopping exfiltration of data has not been a goal of CSP.
> I think it is a goal of users of CSP, and it seems reasonable to make
> at least some forms of exfiltration prevention a goal of CSP.
>> We don't prevent navigations, for example.
> I think this is something to consider adding, at least to help for the
> "ensure my site is 100% HTTPS" use age.
>> I could see it going either way but whichever way we should document it
>> somewhere, either in CSP or in the Notification standard.
> More generally, as people add stuff to the (WHATWG) HTML Standard,
> they need a way of specifying how CSP works for it, and/or a way to
> define new CSP directives for that stuff, without waiting for a new
> level of CSP to go through standardization at W3C.

I support Brian's points. The navigation -- at least in the context of
iframes -- was also raised here:


Received on Monday, 10 November 2014 02:59:20 UTC