W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: CSP connect-src and browser plugins

From: Dan Veditz <dveditz@mozilla.com>
Date: Sun, 23 Sep 2012 11:30:04 -0700
Message-ID: <505F552C.6060505@mozilla.com>
To: Erlend Oftedal <eoftedal@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 9/23/12 5:57 AM, Erlend Oftedal wrote:
> Flash, silverlight, java and friends can also make http connections.
> This is controlled by policies like crossdomain.xml and
> clientaccesspolicy.xml on the receiving end, but what about the browser?
> Does connect-src also apply to these plugins? Could it? Should it?

Plugins can make their own connections without any consultation with the 
browser if they wish so it's hard to block those (e.g. sockets). For 
http requests they typically use NPAPI calls to take advantage of 
browser network settings, and Mozilla is treating those calls under the 
object-src rules when we have enough context to do so.

-Dan Veditz
Received on Sunday, 23 September 2012 18:30:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 23 September 2012 18:30:33 GMT