- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 5 Jan 2015 18:54:14 +0100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 6:39 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > Isn't it also the case that cross-origin images like that are > inaccessible to script? Obviously, there is some information leakage > (timing, for instance), but rarely anything that could be actionable > and therefore exploitable. The user could be misled if the images are replaced or altered in transit. E.g. headlines done as images, an important news image, etc. Given how something simple as not securing clock synchronization can have drastic consequences (has this been patched yet?) I would be really suspect of any form of Mixed Content. (I hope nobody is too confused with me trying to argue both sides to tease out anything we're missing.) -- https://annevankesteren.nl/
Received on Monday, 5 January 2015 17:54:41 UTC