W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: On the Insecurity of Whitelists and the Future of CSP

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 8 Sep 2016 08:37:00 -0700
To: Artur Janc <aaj@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>
Cc: W3C Web App Security WG <public-webappsec@w3.org>
Message-ID: <1fd8fe69-4317-e59e-aa5e-48e740bcb5f2@mozilla.com>
On 9/7/16 1:14 PM, Artur Janc wrote:
> For example, there's almost never a security benefit of setting
> img-src, and it adds maintenance overhead and risks breakage when
> URLs change,

About the only time img-src is useful is to undo a restrictive
default-src. For example "default-src 'self'; img-src *;"

-Dan Veditz
Received on Thursday, 8 September 2016 15:37:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC