Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy and security questionnaire self-assesment #111

yoavweiss opened this issue Sep 26, 2017 · 1 comment


None yet
2 participants
Copy link

commented Sep 26, 2017

As part of the TAG review process, I have read the Privacy and Security Questionnaire.
There are a couple of questions there which seemed relevant for preload:

  • "Does this specification enable new script execution/loading mechanisms?"
    • preload does enable a new mechanism for script loading.
    • I believe that since it doesn't enable execution of said scripts without other script execution mechanisms (e.g. <script> tag), this does not expose any new attack vectors.
  • "Does this specification deal with high-value data?"
    • preload does not deal with high profile data, but could have been used as a data exfiltration mechanism for such data. However, the fact that it's bound to the same CSP directives as the resource that it is loading (indicated by the as attribute) means that it doesn't enable data exfiltration more than any other resource loading tag.

I open this issue mainly as part of the TAG review. Following the review, we'll see if any of the above should be added to the "Security and Privacy Considerations" section.

@yoavweiss yoavweiss referenced this issue Sep 26, 2017


Request for review: Preload #202

3 of 5 tasks complete

This comment has been minimized.

Copy link

commented Oct 10, 2017

TAG review done.

No feedback from the WebSec IG.

@siusin siusin closed this Oct 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.