- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 13 Nov 2013 21:07:13 -0500
- To: public-webappsec@w3.org
On 11/13/13 5:10 PM, Erik Larsson wrote: > The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to > explicitly state that loading Java Applets should be configurable using > default-src. As far as I know, browsers don't do any loading of stuff for <applet>. They just instantiate the Java plug-in, and it does the network access itself. Certainly the code that handled <object data> and <embed src> in Gecko does no URI loading in the Java applet case. -Boris
Received on Thursday, 14 November 2013 02:07:44 UTC