W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: CSP connect-src and browser plugins

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 23 Sep 2012 08:15:41 -0700
Message-ID: <CAJE5ia_4LLWT0J=DGf87sAz2SAfxDVLXo0YiW0x4BDUWmZOszA@mail.gmail.com>
To: Erlend Oftedal <eoftedal@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Sep 23, 2012 at 5:57 AM, Erlend Oftedal <eoftedal@gmail.com> wrote:
> Flash, silverlight, java and friends can also make http connections. This is
> controlled by policies like crossdomain.xml and clientaccesspolicy.xml on
> the receiving end, but what about the browser? Does connect-src also apply
> to these plugins? Could it? Should it?

Generally speaking, the behavior of plugins in this area isn't defined
by W3C specifications.  For example, there are no W3C specifications
for crossdomain.xml or clientaccesspolicy.xml.  If I were writing one
of these plugins, I would make them respect the connect-src directive,
however.

Adam
Received on Sunday, 23 September 2012 15:16:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 23 September 2012 15:16:42 GMT