W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Should CSP affect a Notification icon?

From: Deian Stefan <deian@cs.stanford.edu>
Date: Sun, 09 Nov 2014 18:58:53 -0800
To: Brian Smith <brian@briansmith.org>, Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87oasfn4lu.fsf@cs.stanford.edu>
Brian Smith <brian@briansmith.org> writes:

> Daniel Veditz <dveditz@mozilla.com> wrote:
>> On 11/9/2014 3:26 PM, Brian Smith wrote:
>>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote:
>>>> It seems reasonable to me to use image-src for that.
>>>
>>> Also, even if image-src is not appropriate, then shouldn't default-src
>>> cover everything else unless explicitly stated otherwise?
>>
>> Stopping exfiltration of data has not been a goal of CSP.
>
> I think it is a goal of users of CSP, and it seems reasonable to make
> at least some forms of exfiltration prevention a goal of CSP.
>
>> We don't prevent navigations, for example.
>
> I think this is something to consider adding, at least to help for the
> "ensure my site is 100% HTTPS" use age.
>
>> I could see it going either way but whichever way we should document it
>> somewhere, either in CSP or in the Notification standard.
>
> More generally, as people add stuff to the (WHATWG) HTML Standard,
> they need a way of specifying how CSP works for it, and/or a way to
> define new CSP directives for that stuff, without waiting for a new
> level of CSP to go through standardization at W3C.

I support Brian's points. The navigation -- at least in the context of
iframes -- was also raised here:

https://www.w3.org/2011/webappsec/track/issues/69

Best,
Deian
Received on Monday, 10 November 2014 02:59:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC