Re: CSP connect-src and browser plugins

On Sun, Sep 23, 2012 at 5:57 AM, Erlend Oftedal <> wrote:
> Flash, silverlight, java and friends can also make http connections. This is
> controlled by policies like crossdomain.xml and clientaccesspolicy.xml on
> the receiving end, but what about the browser? Does connect-src also apply
> to these plugins? Could it? Should it?

Generally speaking, the behavior of plugins in this area isn't defined
by W3C specifications.  For example, there are no W3C specifications
for crossdomain.xml or clientaccesspolicy.xml.  If I were writing one
of these plugins, I would make them respect the connect-src directive,


Received on Sunday, 23 September 2012 15:16:42 UTC