webappsec-ISSUE-10: Processing model for object element and frame-src directive

webappsec-ISSUE-10: Processing model for object element and frame-src directive

http://www.w3.org/2011/webappsec/track/issues/10

Raised by: Brad Hill
On product: 

Section 4.7 of Content Security policy:

Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed frame sources, the user agent must act as if it had received an empty HTTP 400 response:
•Requesting data for display in a frame, such as when processing the src attribute of an iframe or frame element.
•Navigating a nested browsing context within the protected document.


Issue: How does this work for the object element? We don't know whether the request is going to lead to a plug-in or a frame until we get the response back and can look at the MIME type.

Received on Tuesday, 17 January 2012 16:39:23 UTC