RE: CSP not being applied to <applet> tag

Following http://www.w3.org/TR/CSP/#object-src, when an <embed>, <object>, or <applet> tag specifies data to load, it must match the allowed object sources. In the absence of specifying data to load, the protected resource's URI must match the allowed object sources. In the situation of 'object-src: none', no value will match the allowed object sources, and therefore the user agent must not load the plugin.

Based on above, I argue that spec behavior per CSP 1.0 is to not load the plugin in this situation - no spec changes required.


From: Brad Hill [mailto:hillbrad@gmail.com]
Sent: Wednesday, November 13, 2013 9:48 PM
To: Boris Zbarsky
Cc: public-webappsec@w3.org
Subject: Re: CSP not being applied to <applet> tag

Uuuuggggghhhhh...... so it falls to the plugin itself to enforce the policy.  But of course, the ones that don't are the ones you really want to stop the most.

Maybe we should at least special case a calculated policy of object-src 'none' to just block any plugin instantiation? Or is support for media-types in 1.1 close enough down the road?

On Wed, Nov 13, 2013 at 6:07 PM, Boris Zbarsky <bzbarsky@mit.edu<mailto:bzbarsky@mit.edu>> wrote:
On 11/13/13 5:10 PM, Erik Larsson wrote:
The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to
explicitly state that loading Java Applets should be configurable using
default-src.

As far as I know, browsers don't do any loading of stuff for <applet>. They just instantiate the Java plug-in, and it does the network access itself.

Certainly the code that handled <object data> and <embed src> in Gecko does no URI loading in the Java applet case.

-Boris