<object>, text/html, and object-src/frame-src

On the call today, we discussed
http://www.w3.org/2011/webappsec/track/issues/8.  Specifically,
whether the following markup should be controlled by the frame-src or
the object-src directive:

<object data="http://www.yahoo.com/"></object>

The question boils down to whether we're thinking about directives
syntactically or semantically.  Syntactically, the Yahoo home page is
being loaded by the object tag, so it should be controlled by the
object-src directive.  Semantically, the Yahoo home page is being
displayed in a frame, so it should be controlled by the frame-src
directive.

Jacob Rossi and Brandon Sterne both argued for the syntactic approach
as being consistent with the other directives and better aligned with
their implementations.  I tested WebKit just now, and it seems to
implement the semantic approach.

The current plan is to adopt the syntactic approach, making <object>
always controlled by object-src regardless of whether it's used to
display a plug-in or a frame.  If you have any feedback on this topic,
please feel encouraged to respond to this email.

Thanks,
Adam

Received on Tuesday, 6 December 2011 23:02:06 UTC