List of available images and Fetch policies #154

annevk opened this Issue Sep 16, 2015 · 3 comments


None yet

2 participants

annevk commented Sep 16, 2015 can be copied from document to document, but does not account for differences between such documents. E.g., they might have different CSP policies or one of them might disallow Mixed Content. We should probably only allow copying of this cache to take place if that does not break any of those security policies.

No idea if implementations handle this correctly today.

@annevk annevk was assigned by domenic Apr 22, 2016
annevk commented Apr 23, 2016

I'm not sure if I'm the best person to tackle this. Feels more like the terrain of @mikewest and @zcorpan.

@annevk annevk added the topic: img label Jul 8, 2016
annevk commented Jul 22, 2016

See also for some related discussion on the security model around images (and how it differs for "cors" vs "no-cors").

@annevk annevk removed their assignment Jul 22, 2016

In Gecko CSP checks are done on any hit from this list, precisely because of this issue. See near the end of and for the discussion about this when we pushed CSP checks down into something more like fetch instead of doing them before even talking to the image loader.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment