List of available images and Fetch policies #154

Open
annevk opened this Issue Sep 16, 2015 · 3 comments

Projects

None yet

2 participants

@annevk
Member
annevk commented Sep 16, 2015

https://html.spec.whatwg.org/multipage/embedded-content.html#list-of-available-images can be copied from document to document, but does not account for differences between such documents. E.g., they might have different CSP policies or one of them might disallow Mixed Content. We should probably only allow copying of this cache to take place if that does not break any of those security policies.

No idea if implementations handle this correctly today.

@annevk annevk was assigned by domenic Apr 22, 2016
@annevk
Member
annevk commented Apr 23, 2016

I'm not sure if I'm the best person to tackle this. Feels more like the terrain of @mikewest and @zcorpan.

@annevk annevk added the topic: img label Jul 8, 2016
@annevk
Member
annevk commented Jul 22, 2016

See also https://www.w3.org/Bugs/Public/show_bug.cgi?id=28374 for some related discussion on the security model around images (and how it differs for "cors" vs "no-cors").

@annevk annevk removed their assignment Jul 22, 2016
@bzbarsky
Collaborator

In Gecko CSP checks are done on any hit from this list, precisely because of this issue. See near the end of https://bugzilla.mozilla.org/show_bug.cgi?id=1206961#c15 and https://bugzilla.mozilla.org/show_bug.cgi?id=1206961#c65 for the discussion about this when we pushed CSP checks down into something more like fetch instead of doing them before even talking to the image loader.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment