- From: Erik Larsson <erik.jp.larsson@gmail.com>
- Date: Wed, 13 Nov 2013 17:10:12 -0500
- To: public-webappsec@w3.org
- Message-ID: <CAE19Wj1VBcLwThj=CfJbhhpqhWkP1obpoSyV=oBzphF0qsLBEA@mail.gmail.com>
Hi, I work with a web application that implements a pretty tight CSP and we are seeing some odd behavior related to use of the <APPLET> tag. It seems like no matter how strict our CSP is (Content-Security-Policy: default-src 'none'; object-src ‘none’;), all three major browsers (Chrome, Firefox and Safari) still let applets load when using the <APPLET> tag. It also looks like Firefox allows applets to load through <EMBED> tags when the type attribute is set to “application/x-java-applet”. All other content types are properly blocked, so I am confident that my CSP header syntax is correct. Does this sound like correct behavior? The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to explicitly state that loading Java Applets should be configurable using default-src. Embed, Object and the Applet tags should all be covered, so it is not clear to me why the <APPLET> tags are still allowed to load. It almost seems like all three browsers are intentionally ignoring this tag, which seems odd. Any insight into this would be greatly appreciated.
Received on Thursday, 14 November 2013 00:53:37 UTC