- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sun, 9 Nov 2014 19:11:01 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I think whether or not exfiltration prevention should be something CSP cares about is a separate discussion. IMHO, right now, CSP is all about "what resources get loaded in this document context?". Given that, I wonder if, maybe, for now, it makes sense to say "it doesn't apply since not part of the document". Then, once there is consensus to tackle explicit exfiltration more broadly and then we can talk about this? For example, there is the post message directives that was recently brought up that will also need to be covered. On 9 November 2014 18:45, Brian Smith <brian@briansmith.org> wrote: > Daniel Veditz <dveditz@mozilla.com> wrote: >> On 11/9/2014 3:26 PM, Brian Smith wrote: >>> On Sun, Nov 9, 2014 at 3:25 PM, Brian Smith <brian@briansmith.org> wrote: >>>> It seems reasonable to me to use image-src for that. >>> >>> Also, even if image-src is not appropriate, then shouldn't default-src >>> cover everything else unless explicitly stated otherwise? >> >> Stopping exfiltration of data has not been a goal of CSP. > > I think it is a goal of users of CSP, and it seems reasonable to make > at least some forms of exfiltration prevention a goal of CSP. > >> We don't prevent navigations, for example. > > I think this is something to consider adding, at least to help for the > "ensure my site is 100% HTTPS" use age. > >> I could see it going either way but whichever way we should document it >> somewhere, either in CSP or in the Notification standard. > > More generally, as people add stuff to the (WHATWG) HTML Standard, > they need a way of specifying how CSP works for it, and/or a way to > define new CSP directives for that stuff, without waiting for a new > level of CSP to go through standardization at W3C. > > Cheers, > Brian >
Received on Monday, 10 November 2014 03:11:47 UTC