Re: [webappsec] CSP 1.0 bug? button type=image and img-src

On Tue, Apr 23, 2013 at 11:04 PM, Adam Barth <w3c@adambarth.com> wrote:
> We should try to find a way editorially to avoid having to enumerate all the
> different ways user agents can load images.  We're unlikely to be able to
> list them all, and it will make the spec fragile as the platform evolves.

Should we make these "types" (media, image, etc.) part of what
specifications define when they perform a
http://fetch.spec.whatwg.org/ ? That way we have a nice way to hook in
the CSP check there.

Also, lowsrc is not supported by user agents and should not be
included. You might want to list srcset though.


--
http://annevankesteren.nl/

Received on Wednesday, 24 April 2013 10:28:48 UTC