- From: Lucas Adamski <ladamski@mozilla.com>
- Date: Mon, 24 Oct 2011 15:24:07 -0700
- To: Travis Hassloch <thassloc@adobe.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
I'd like to see Flash Player and other plugins use the existing CSP policy mechanisms when possible/applicable. We tried to keep the directives scenario-centric rather than API-centric, though there are some notable exceptions. Plugins will probably require extensions to support scenarios that aren't currently defined, but to define a whole new set of extensions specifically for Flash Player would likely requiring re-defining many of the existing directives around loading of scripts, image, media, fonts, etc. Lucas. On 10/20/2011 5:19 PM, Travis Hassloch wrote: > I would be very appreciative to hear your ideas on how > Content-Security-Policy should apply to flash. > > For example, one idea of many: SWF files are compiled from > actionscript, which is more-or-less ECMAscript, so perhaps it > should be interpreted as such. On the other hand, they may be > dissimilar enough that extensions to CSP (new directives) may > be the way to go. > > Thoughts on this or any other aspect? > > Backgrounder on flash security model: > <URL:http://www.adobe.com/devnet/flashplayer/articles/flash_player10_securit > y_wp.html> > > Thanks!
Received on Monday, 24 October 2011 22:24:46 UTC