W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: CSP not being applied to <applet> tag

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 13 Nov 2013 21:07:13 -0500
Message-ID: <52843051.9040306@mit.edu>
To: public-webappsec@w3.org
On 11/13/13 5:10 PM, Erik Larsson wrote:
> The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to
> explicitly state that loading Java Applets should be configurable using
> default-src.

As far as I know, browsers don't do any loading of stuff for <applet>. 
They just instantiate the Java plug-in, and it does the network access 
itself.

Certainly the code that handled <object data> and <embed src> in Gecko 
does no URI loading in the Java applet case.

-Boris
Received on Thursday, 14 November 2013 02:07:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC