W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

Re: object-src and plugins with no URLs

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 08 Aug 2011 14:07:04 -0700
Message-ID: <4E404FF8.3060801@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 8/4/11 5:29 PM, Adam Barth wrote:
> How should object-src 'self' (for example) interact with the following
> object tag?
> 
> <object type="application/x-plugin-that-does-not-make-any-http-requests"></object>
> 
> What about object-src * and object-src 'none'  ?

The simplest case is "object-src 'none'" -- I'm sure people writing
policies containing 'none' want no plugins whatsoever running on
their page. Similarly the most natural interpretation of "object-src
*" would be to allow the plugin, but we may want to special-case
it--like data:--and that would be OK too.

Firefox is going to get the 'none' case wrong currently since we
enforce object-src through content policies, and there's no
associated content being loaded.

What does a page author use if they want to allow these? 'self'
makes some sense since the plugin is interacting with content or
scripts we hope the page author put there. On the downside this
means authors have to allow these if they also want to self-host
flash or other plugin content. It'd be really really nice if
object-src discriminated by MIME type--if it did we could just use that.

I think we need a special keyword for this case. Brandon's 'local'
would work but doesn't seem quite right, ditto 'blank'. Don't like
'about:blank' at all, it's not the same thing. 'srcless' or 'nosrc'?
Hm, maybe 'local' or 'blank' aren't so bad after all.

-Dan Veditz
Received on Monday, 8 August 2011 21:07:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 8 August 2011 21:07:38 GMT