> > Maybe we should focus the module on this threat more specifically. My > understanding is that this is a big source of pain for folks who > operate forums, especially for user-supplied images that point back to > the forum itself. What if the directive was something like > "cookieless-images" and affected all images, regardless of where they > were loaded from? >
requiring it to implement this policy regardless of the running script context would require the UA to maintain a cache of policies for each site the user has visited. This is against the requirements of the base module. And I for one am against any such type of caching requirement in the UA. cheers devdatta 2009/10/22 Adam Barth <abarth-mozi...@adambarth.com>: > On Thu, Oct 22, 2009 at 9:52 AM, Mike Ter Louw <mter...@uic.edu> wrote: >> I agree. It seems anti-csrf (as currently defined) would be most beneficial >> for defending against CSRF attacks that don't require any user action beyond >> simply viewing the page (e.g., <img src="attack">). > > Maybe we should focus the module on this threat more specifically. My > understanding is that this is a big source of pain for folks who > operate forums, especially for user-supplied images that point back to > the forum itself. What if the directive was something like > "cookieless-images" and affected all images, regardless of where they > were loaded from? > > Adam > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security