Comment 82 for bug 294712

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

> I'm asking, when a data image is passed through to ShouldLoad, what's the url
> that is passed through?

The @src attribute of the image. So the data: URI.

> possible for websites to bypass the url checking at least for REJECT_SERVER,
> no?

That's the content policy's business. If it wants to be checking the source of the load instead of the destination, it can do so, of course.

> And this works per-host even if images are turned off completely

Not for images with no host (as above), which you can't whitelist but which the global "images are turned off" pref catches.