W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[MIX] link rel=icon

From: Pete Freitag <pete@foundeo.com>
Date: Tue, 18 Nov 2014 10:52:20 -0500
Message-ID: <CAADZ8V44J71c=1RkaTN2zLvk=xfcLSSBFifdZY+g-gcYqa8DGA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Consider:

<link rel="icon" href="http://cdn.example.com/icon.png" type="image/png">

Should it fall under 3.1 Optionally Blocked Content or 3.2 Blockable
content?

Currently both FF & Chrome treat it Optionally Blockable content (they
allow the content to load) with an a priori insecure origin.

There is an implementation difference in handling the rel=icon case between
FireFox and Chrome currently. FF will treat it as if an insecure image was
loaded (replaces lock with warning icon) and logs a console message, but
Chrome simply allows it to load.

Should the spec be updated to list link rel=icon as Optionally Blocked
Content (if it is not listed there, then it should be blocked according to
the current editors draft)?

Treating it the same as an image makes sense to me, but it may be a case
that could be treated as blockable content because it is not terribly
catastrophic if the favicon does not load IMHO.

I'd be happy to either send a pull request to the spec (to treat as
Optionally Blockable content) or file bugs with the browsers to treat it as
blockable content.

Are there other cases for the link tag that should be considered? For
example:

<link rel="alternate" type="application/rss+xml" href="
http://example.com/rss/">

I'm less concerned about that one since it is pretty much just a link, both
FF & Chrome do not warn if the href is an priori insecure origin.

--
Pete Freitag
http://content-security-policy.com/ - CSP Reference
Received on Tuesday, 18 November 2014 15:53:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC