- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 8 Aug 2011 10:42:10 -0700
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-web-security@w3.org
I always assumed DAP URLs would use a scheme that you could whitelist as usual: connect-src device-api://calendar for example. The plug-in case is somewhat unique because other APIs don't accept empty URLs. Maybe we should treat it as about:blank ? Then you could whitelist it by writing object-src 'self' about:blank ? That looks sort of odd. object-src 'self' 'blank' ? Adam On Mon, Aug 8, 2011 at 9:16 AM, Brandon Sterne <bsterne@mozilla.com> wrote: > What if we added a source keyword 'local' to allow such content? > > It could work in the case of a plugin, e.g. Google Gears, that doesn't > make requests for content, and could also potentially be used in other > directives once the Device API WG adds access to webcams and other local > resources (although we may want more granularity than a single keyword > since the risk profiles of webcam vs. Gears plugin is arguably much > different). > > -Brandon > > > On 08/04/2011 05:29 PM, Adam Barth wrote: >> How should object-src 'self' (for example) interact with the following >> object tag? >> >> <object type="application/x-plugin-that-does-not-make-any-http-requests"></object> >> >> What about object-src * and object-src 'none' ? >> >> Adam >> >
Received on Monday, 8 August 2011 17:43:08 UTC