W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

[CSP] images loaded in object and embed

From: Kevin Hill <khill@microsoft.com>
Date: Mon, 18 Aug 2014 22:00:46 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <e6be85f1b97e4039a07bbf134945898f@SN2PR03MB031.namprd03.prod.outlook.com>
For <object> and <embed> tags loading images, what directive(s) apply?  The spec indicates that object-src is for plugins, and img-src is for images - it doesn't describe what to do for images loaded through these elements.  Here the current behaviors in some browsers:

*       Chrome

o   For <embed> or <object> to an SVG file, both the object-src and the frame-src directives are applied

o   For <object> to a PNG file, no policy is applied (seems to be a bug)

*       Firefox

o   For <embed> or <object> to an SVG file, the object-src directive is applied

o   For <object> to a PNG file, the object-src directive is applied

*       IE

o   For <embed> or <object> to an SVG file, frame-src directive is applied

o   For <object> to a PNG file, the img-src directive is applied

Since it isn't clear we are not sure what to do, although it looks like using object-src is the likely avenue to take.
Received on Monday, 18 August 2014 22:01:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC