- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 24 Oct 2014 08:59:12 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Oct 24, 2014 at 8:50 AM, Mark Nottingham <mnot@mnot.net> wrote: > I think the issue here is that the replacement for a hack (that works) is a more general, less precise mechanism. I guess that's fair, though we are slowly moving to a world where you cannot have mixed content so the only real leak would be navigation anyway. But yes, it does seem quite bad to meanwhile leak the path to the network through unauthenticated images. That should be addressed somehow. Perhaps the policy, if less strict, should not affect unauthenticated subresources. -- https://annevankesteren.nl/
Received on Friday, 24 October 2014 06:59:39 UTC