Re: [secure-contexts] Just this source, silence network communication

On Tue, Apr 3, 2018 at 9:47 AM William Sharkey <>

It would be nice if html authors had a way to tell browsers that they are
> not leak info over the network for a specific page.

I've heard of this threat model before, and didn't understand it then,
either. :) If the site operator controls their site, they can simply author
their content such that it doesn't do this. Right?

It seems like a CSP header saying "default-src none" would instruct the
browser to enforce this goal. Does that work?

>    - Browser plugins should be disabled (is that even feasible?).
> The browser is the user's agent, not the site operator's agent.

Well, if that could happen, then the url bar could turn a different color
> or whatever to indicate that nothing is leaking.

The last thing we should do is to complicate security-critical UX, which
people already have a hard time understanding, for a marginal and
hard-to-prove security assertion. Sorry. :)


Received on Tuesday, 3 April 2018 17:20:52 UTC