- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Mon, 08 Aug 2011 09:16:01 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
What if we added a source keyword 'local' to allow such content? It could work in the case of a plugin, e.g. Google Gears, that doesn't make requests for content, and could also potentially be used in other directives once the Device API WG adds access to webcams and other local resources (although we may want more granularity than a single keyword since the risk profiles of webcam vs. Gears plugin is arguably much different). -Brandon On 08/04/2011 05:29 PM, Adam Barth wrote: > How should object-src 'self' (for example) interact with the following > object tag? > > <object type="application/x-plugin-that-does-not-make-any-http-requests"></object> > > What about object-src * and object-src 'none' ? > > Adam >
Received on Monday, 8 August 2011 16:17:16 UTC