W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: How should Content-Security-Policy apply to Flash?

From: Lucas Adamski <ladamski@mozilla.com>
Date: Mon, 24 Oct 2011 15:24:07 -0700
Message-ID: <4EA5E587.20705@mozilla.com>
To: Travis Hassloch <thassloc@adobe.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
I'd like to see Flash Player and other plugins use the existing CSP
policy mechanisms when possible/applicable.  We tried to keep the
directives scenario-centric rather than API-centric, though there are
some notable exceptions.

Plugins will probably require extensions to support scenarios that
aren't currently defined, but to define a whole new set of extensions
specifically for Flash Player would likely requiring re-defining many of
the existing directives around loading of scripts, image, media, fonts, etc.
  Lucas.

On 10/20/2011 5:19 PM, Travis Hassloch wrote:
> I would be very appreciative to hear your ideas on how
> Content-Security-Policy should apply to flash.
> 
> For example, one idea of many: SWF files are compiled from
> actionscript, which is more-or-less ECMAscript, so perhaps it
> should be interpreted as such.  On the other hand, they may be
> dissimilar enough that extensions to CSP (new directives) may
> be the way to go.
> 
> Thoughts on this or any other aspect?
> 
> Backgrounder on flash security model:
> <URL:http://www.adobe.com/devnet/flashplayer/articles/flash_player10_securit
> y_wp.html>
> 
> Thanks!
Received on Monday, 24 October 2011 22:24:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 October 2011 22:24:47 GMT