- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 08 Aug 2011 14:07:04 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 8/4/11 5:29 PM, Adam Barth wrote: > How should object-src 'self' (for example) interact with the following > object tag? > > <object type="application/x-plugin-that-does-not-make-any-http-requests"></object> > > What about object-src * and object-src 'none' ? The simplest case is "object-src 'none'" -- I'm sure people writing policies containing 'none' want no plugins whatsoever running on their page. Similarly the most natural interpretation of "object-src *" would be to allow the plugin, but we may want to special-case it--like data:--and that would be OK too. Firefox is going to get the 'none' case wrong currently since we enforce object-src through content policies, and there's no associated content being loaded. What does a page author use if they want to allow these? 'self' makes some sense since the plugin is interacting with content or scripts we hope the page author put there. On the downside this means authors have to allow these if they also want to self-host flash or other plugin content. It'd be really really nice if object-src discriminated by MIME type--if it did we could just use that. I think we need a special keyword for this case. Brandon's 'local' would work but doesn't seem quite right, ditto 'blank'. Don't like 'about:blank' at all, it's not the same thing. 'srcless' or 'nosrc'? Hm, maybe 'local' or 'blank' aren't so bad after all. -Dan Veditz
Received on Monday, 8 August 2011 21:07:38 UTC