Re: How should Content-Security-Policy apply to Flash?

I'd like to see Flash Player and other plugins use the existing CSP
policy mechanisms when possible/applicable.  We tried to keep the
directives scenario-centric rather than API-centric, though there are
some notable exceptions.

Plugins will probably require extensions to support scenarios that
aren't currently defined, but to define a whole new set of extensions
specifically for Flash Player would likely requiring re-defining many of
the existing directives around loading of scripts, image, media, fonts, etc.

On 10/20/2011 5:19 PM, Travis Hassloch wrote:
> I would be very appreciative to hear your ideas on how
> Content-Security-Policy should apply to flash.
> For example, one idea of many: SWF files are compiled from
> actionscript, which is more-or-less ECMAscript, so perhaps it
> should be interpreted as such.  On the other hand, they may be
> dissimilar enough that extensions to CSP (new directives) may
> be the way to go.
> Thoughts on this or any other aspect?
> Backgrounder on flash security model:
> <URL:
> y_wp.html>
> Thanks!

Received on Monday, 24 October 2011 22:24:46 UTC