CSP not being applied to <applet> tag from Erik Larsson on 2013-11-13 (public-webappsec@w3.org from November 2013)

From: Erik Larsson <erik.jp.larsson@gmail.com>
Date: Wed, 13 Nov 2013 17:10:12 -0500
To: public-webappsec@w3.org
Message-ID: <CAE19Wj1VBcLwThj=CfJbhhpqhWkP1obpoSyV=oBzphF0qsLBEA@mail.gmail.com>

Hi,

I work with a web application that implements a pretty tight CSP and we are
seeing some odd behavior related to use of the <APPLET> tag.  It seems like
no matter how strict our CSP is (Content-Security-Policy: default-src
'none'; object-src ‘none’;), all three major browsers (Chrome, Firefox and
Safari) still let applets load when using the <APPLET> tag.  It also looks
like Firefox allows applets to load through <EMBED> tags when the type
attribute is set to “application/x-java-applet”.  All other content types
are properly blocked, so I am confident that my CSP header syntax is
correct.  Does this sound like correct behavior?


The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to
explicitly state that loading Java Applets should be configurable using
default-src. Embed, Object and the Applet tags should all be covered, so it
is not clear to me why the <APPLET> tags are still allowed to load.  It
almost seems like all three browsers are intentionally ignoring this tag,
which seems odd.


Any insight into this would be greatly appreciated.

Received on Thursday, 14 November 2013 00:53:37 UTC