W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

Re: object-src and plugins with no URLs

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 08 Aug 2011 09:16:01 -0700
Message-ID: <4E400BC1.60707@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
What if we added a source keyword 'local' to allow such content?

It could work in the case of a plugin, e.g. Google Gears, that doesn't
make requests for content, and could also potentially be used in other
directives once the Device API WG adds access to webcams and other local
resources (although we may want more granularity than a single keyword
since the risk profiles of webcam vs. Gears plugin is arguably much
different).

-Brandon


On 08/04/2011 05:29 PM, Adam Barth wrote:
> How should object-src 'self' (for example) interact with the following
> object tag?
> 
> <object type="application/x-plugin-that-does-not-make-any-http-requests"></object>
> 
> What about object-src * and object-src 'none'  ?
> 
> Adam
> 
Received on Monday, 8 August 2011 16:17:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 8 August 2011 16:17:17 GMT