Re: CSP not being applied to <applet> tag

On 11/13/13 5:10 PM, Erik Larsson wrote:
> The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to
> explicitly state that loading Java Applets should be configurable using
> default-src.

As far as I know, browsers don't do any loading of stuff for <applet>. 
They just instantiate the Java plug-in, and it does the network access 
itself.

Certainly the code that handled <object data> and <embed src> in Gecko 
does no URI loading in the Java applet case.

-Boris

Received on Thursday, 14 November 2013 02:07:44 UTC