Re: CSP not being applied to <applet> tag from Brad Hill on 2013-11-14 (public-webappsec@w3.org from November 2013)

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 13 Nov 2013 21:48:01 -0800
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8iEJ-+wX55Uz2Cnz9ipGq4NR5sLEMqaX1ojrBWHMdTZmw@mail.gmail.com>

Uuuuggggghhhhh...... so it falls to the plugin itself to enforce the
policy.  But of course, the ones that don't are the ones you really want to
stop the most.

Maybe we should at least special case a calculated policy of object-src
'none' to just block any plugin instantiation? Or is support for
media-types in 1.1 close enough down the road?

On Wed, Nov 13, 2013 at 6:07 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/13/13 5:10 PM, Erik Larsson wrote:
>
>> The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to
>> explicitly state that loading Java Applets should be configurable using
>> default-src.
>>
>
> As far as I know, browsers don't do any loading of stuff for <applet>.
> They just instantiate the Java plug-in, and it does the network access
> itself.
>
> Certainly the code that handled <object data> and <embed src> in Gecko
> does no URI loading in the Java applet case.
>
> -Boris
>
>

Received on Thursday, 14 November 2013 05:48:29 UTC