W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

Re: object-src and plugins with no URLs

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 08 Aug 2011 09:16:01 -0700
Message-ID: <4E400BC1.60707@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
What if we added a source keyword 'local' to allow such content?

It could work in the case of a plugin, e.g. Google Gears, that doesn't
make requests for content, and could also potentially be used in other
directives once the Device API WG adds access to webcams and other local
resources (although we may want more granularity than a single keyword
since the risk profiles of webcam vs. Gears plugin is arguably much


On 08/04/2011 05:29 PM, Adam Barth wrote:
> How should object-src 'self' (for example) interact with the following
> object tag?
> <object type="application/x-plugin-that-does-not-make-any-http-requests"></object>
> What about object-src * and object-src 'none'  ?
> Adam
Received on Monday, 8 August 2011 16:17:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC