Hi Axel, My first thought is that if you want to prevent hotlinking, couldn't the server use the Request's HTTP Referer header to decide if they want to serve the content? It seems to be overkill to use CSP for just hotlink protection.
-Sid On 3/11/10 4:52 AM, Axel Dahmen wrote: > Hi Sid, > > actually, while I read the spec recommendation, one thing immediately > came up my mind: Why only add protection to HTML content? > > To my understanding a UA could implement CSP processing not only to file > type handlers like "text/html", but *any* file type handler should > process CSP directives. > > To protect media files, CSP directives should be considered from a > different perspective: "Which containers are allowed to display this/my > content?" > > The "allow self" directive could be used, for example, to protect > images, JavaScript libraries or even web pages from being hijacked by > other websites. (Protecting web pages would have the same effect as > using Internet Explorer 8's "X-Frame-Options: Deny" HTTP header > [http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.aspx#_replace]) > > > Imagine, some foreign website links to a protected image. Then the > "image/jpeg" handler would create a HTTP request for retrieving this > resource. As soon as the HTTP headers for the image arrive, the image > handler can check for a CSP restriction and block the content from being > displayed. > > > Well, protecting intellectual property this way is not fail-safe. It > requires a UA supporting CSP in the abovementioned way. But as it says > in the recommendation: > "CSP is not intended to be a main line of defence, but rather one of the > many layers of security" > and > "It should be made clear that it is not the intent of CSP to prevent > navigation to arbitrary sites, > but rather to restrict the types of script, media, and other resources > that may be used on a web page." > > > ...your thoughts? > > Axel Dahmen > www.axeldahmen.de > > > > > > ----------------------- > "Sid Stamm" <[email protected]> schrieb im Newsbeitrag > news:[email protected]... >> Hi Axel, >> >> I agree that we should consider what CSP can do to protect other types >> of content. We mainly stuck with HTML at first since it's the most >> common "document" format on the Web. >> >> This is the perfect place to start a discussion about how to apply CSP >> to other types of content. What are your thoughts? >> >> -Sid >> >> On 03/06/2010 12:29 PM, Axel Dahmen wrote: >>> Hi, >>> >>> I was thinking that it was a nifty idea to use CSP also for non-HTML >>> content. Applying it to other content, like images or JavaScript it >>> might be used to serve for some kind of low-level rights management. >>> >>> Would you like to discuss this type of application of CSP? >>> >>> Axel Dahmen > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
