W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: CSP not being applied to <applet> tag

From: Mike West <mkwst@google.com>
Date: Sun, 17 Nov 2013 15:55:56 +0100
Message-ID: <CAKXHy=ek-38RehbGFapUg8QEvxxZ-+OZTPaoe0jJ98-RLAj25g@mail.gmail.com>
To: Erik Larsson <erik.jp.larsson@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Chrome should at least be attempting to block the load (
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/html/HTMLAppletElement.cpp&rcl=1384651644&l=134),
but plugin loading code is a strange and scary mess. I certainly can
believe that I screwed that up.

Can you point us to a demo so we can clean up our implementations?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores


On Wed, Nov 13, 2013 at 11:10 PM, Erik Larsson <erik.jp.larsson@gmail.com>wrote:

>  Hi,
>
> I work with a web application that implements a pretty tight CSP and we
> are seeing some odd behavior related to use of the <APPLET> tag.  It seems
> like no matter how strict our CSP is (Content-Security-Policy: default-src
> 'none'; object-src ‘none’;), all three major browsers (Chrome, Firefox and
> Safari) still let applets load when using the <APPLET> tag.  It also looks
> like Firefox allows applets to load through <EMBED> tags when the type
> attribute is set to “application/x-java-applet”.  All other content types
> are properly blocked, so I am confident that my CSP header syntax is
> correct.  Does this sound like correct behavior?
>
>
> The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to
> explicitly state that loading Java Applets should be configurable using
> default-src. Embed, Object and the Applet tags should all be covered, so it
> is not clear to me why the <APPLET> tags are still allowed to load.  It
> almost seems like all three browsers are intentionally ignoring this tag,
> which seems odd.
>
>
> Any insight into this would be greatly appreciated.
>
Received on Sunday, 17 November 2013 14:56:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC