W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: CSP not being applied to <applet> tag

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 13 Nov 2013 21:48:01 -0800
Message-ID: <CAEeYn8iEJ-+wX55Uz2Cnz9ipGq4NR5sLEMqaX1ojrBWHMdTZmw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Uuuuggggghhhhh...... so it falls to the plugin itself to enforce the
policy.  But of course, the ones that don't are the ones you really want to
stop the most.

Maybe we should at least special case a calculated policy of object-src
'none' to just block any plugin instantiation? Or is support for
media-types in 1.1 close enough down the road?


On Wed, Nov 13, 2013 at 6:07 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/13/13 5:10 PM, Erik Larsson wrote:
>
>> The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to
>> explicitly state that loading Java Applets should be configurable using
>> default-src.
>>
>
> As far as I know, browsers don't do any loading of stuff for <applet>.
> They just instantiate the Java plug-in, and it does the network access
> itself.
>
> Certainly the code that handled <object data> and <embed src> in Gecko
> does no URI loading in the Java applet case.
>
> -Boris
>
>
Received on Thursday, 14 November 2013 05:48:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC