W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

Re: object-src and plugins with no URLs

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 8 Aug 2011 10:42:10 -0700
Message-ID: <CAJE5ia-q6F+V-F7Xk9D9DhwdrVmm5KG+3tkhFB=quWJgBiPTPw@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org
I always assumed DAP URLs would use a scheme that you could whitelist as usual:

connect-src device-api://calendar

for example.  The plug-in case is somewhat unique because other APIs
don't accept empty URLs.  Maybe we should treat it as about:blank ?
Then you could whitelist it by writing

object-src 'self' about:blank

?  That looks sort of odd.

object-src 'self' 'blank'

?

Adam


On Mon, Aug 8, 2011 at 9:16 AM, Brandon Sterne <bsterne@mozilla.com> wrote:
> What if we added a source keyword 'local' to allow such content?
>
> It could work in the case of a plugin, e.g. Google Gears, that doesn't
> make requests for content, and could also potentially be used in other
> directives once the Device API WG adds access to webcams and other local
> resources (although we may want more granularity than a single keyword
> since the risk profiles of webcam vs. Gears plugin is arguably much
> different).
>
> -Brandon
>
>
> On 08/04/2011 05:29 PM, Adam Barth wrote:
>> How should object-src 'self' (for example) interact with the following
>> object tag?
>>
>> <object type="application/x-plugin-that-does-not-make-any-http-requests"></object>
>>
>> What about object-src * and object-src 'none'  ?
>>
>> Adam
>>
>
Received on Monday, 8 August 2011 17:43:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 8 August 2011 17:43:09 GMT