- From: Dan Veditz <dveditz@mozilla.com>
- Date: Sun, 23 Sep 2012 11:30:04 -0700
- To: Erlend Oftedal <eoftedal@gmail.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 9/23/12 5:57 AM, Erlend Oftedal wrote: > Flash, silverlight, java and friends can also make http connections. > This is controlled by policies like crossdomain.xml and > clientaccesspolicy.xml on the receiving end, but what about the browser? > Does connect-src also apply to these plugins? Could it? Should it? Plugins can make their own connections without any consultation with the browser if they wish so it's hard to block those (e.g. sockets). For http requests they typically use NPAPI calls to take advantage of browser network settings, and Mozilla is treating those calls under the object-src rules when we have enough context to do so. -Dan Veditz
Received on Sunday, 23 September 2012 18:30:32 UTC