Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

List of available images and Fetch policies #154

Open
annevk opened this issue Sep 16, 2015 · 3 comments
Open

List of available images and Fetch policies #154

annevk opened this issue Sep 16, 2015 · 3 comments

Comments

@annevk
Copy link
Member

annevk commented Sep 16, 2015

https://html.spec.whatwg.org/multipage/embedded-content.html#list-of-available-images can be copied from document to document, but does not account for differences between such documents. E.g., they might have different CSP policies or one of them might disallow Mixed Content. We should probably only allow copying of this cache to take place if that does not break any of those security policies.

No idea if implementations handle this correctly today.

@annevk
Copy link
Member Author

annevk commented Apr 23, 2016

I'm not sure if I'm the best person to tackle this. Feels more like the terrain of @mikewest and @zcorpan.

@annevk
Copy link
Member Author

annevk commented Jul 22, 2016

See also https://www.w3.org/Bugs/Public/show_bug.cgi?id=28374 for some related discussion on the security model around images (and how it differs for "cors" vs "no-cors").

@annevk annevk removed their assignment Jul 22, 2016
@bzbarsky
Copy link
Contributor

In Gecko CSP checks are done on any hit from this list, precisely because of this issue. See near the end of https://bugzilla.mozilla.org/show_bug.cgi?id=1206961#c15 and https://bugzilla.mozilla.org/show_bug.cgi?id=1206961#c65 for the discussion about this when we pushed CSP checks down into something more like fetch instead of doing them before even talking to the image loader.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants