W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2011

<object>, text/html, and object-src/frame-src

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 6 Dec 2011 15:01:03 -0800
Message-ID: <CAJE5ia9Od5jFd_FWf5vZyKeWHJCAGLfKFrP3WXJ8kHLXxVvegA@mail.gmail.com>
To: public-webappsec@w3.org
On the call today, we discussed
http://www.w3.org/2011/webappsec/track/issues/8.  Specifically,
whether the following markup should be controlled by the frame-src or
the object-src directive:

<object data="http://www.yahoo.com/"></object>

The question boils down to whether we're thinking about directives
syntactically or semantically.  Syntactically, the Yahoo home page is
being loaded by the object tag, so it should be controlled by the
object-src directive.  Semantically, the Yahoo home page is being
displayed in a frame, so it should be controlled by the frame-src

Jacob Rossi and Brandon Sterne both argued for the syntactic approach
as being consistent with the other directives and better aligned with
their implementations.  I tested WebKit just now, and it seems to
implement the semantic approach.

The current plan is to adopt the syntactic approach, making <object>
always controlled by object-src regardless of whether it's used to
display a plug-in or a frame.  If you have any feedback on this topic,
please feel encouraged to respond to this email.

Received on Tuesday, 6 December 2011 23:02:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:26 UTC