Re: object-src and plugins with no URLs

On 8/4/11 5:29 PM, Adam Barth wrote:
> How should object-src 'self' (for example) interact with the following
> object tag?
> <object type="application/x-plugin-that-does-not-make-any-http-requests"></object>
> What about object-src * and object-src 'none'  ?

The simplest case is "object-src 'none'" -- I'm sure people writing
policies containing 'none' want no plugins whatsoever running on
their page. Similarly the most natural interpretation of "object-src
*" would be to allow the plugin, but we may want to special-case
it--like data:--and that would be OK too.

Firefox is going to get the 'none' case wrong currently since we
enforce object-src through content policies, and there's no
associated content being loaded.

What does a page author use if they want to allow these? 'self'
makes some sense since the plugin is interacting with content or
scripts we hope the page author put there. On the downside this
means authors have to allow these if they also want to self-host
flash or other plugin content. It'd be really really nice if
object-src discriminated by MIME type--if it did we could just use that.

I think we need a special keyword for this case. Brandon's 'local'
would work but doesn't seem quite right, ditto 'blank'. Don't like
'about:blank' at all, it's not the same thing. 'srcless' or 'nosrc'?
Hm, maybe 'local' or 'blank' aren't so bad after all.

-Dan Veditz

Received on Monday, 8 August 2011 21:07:38 UTC