Devdatta wrote:
Maybe we should focus the module on this threat more specifically. My
understanding is that this is a big source of pain for folks who
operate forums, especially for user-supplied images that point back to
the forum itself. What if the directive was something like
"cookieless-images" and affected all images, regardless of where they
were loaded from?
requiring it to implement this policy regardless of the running script
context would require the UA to maintain a cache of policies for each
site the user has visited. This is against the requirements of the
base module. And I for one am against any such type of caching
requirement in the UA.
I think what Adam is intending is for the image resource to be requested
without cookies being sent, regardless of the image URI origin (i.e.,
the no-cookies policy applies even if the image URI is contained in
|self|). This would apply for all images requested in the context of a
page that has cookieless-images enabled. To enforce this policy, there
wouldn't be a need to cache policies for sites the user has previously
visited.
Mike
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
