- From: Mike West <mkwst@google.com>
- Date: Sun, 17 Nov 2013 15:55:56 +0100
- To: Erik Larsson <erik.jp.larsson@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=ek-38RehbGFapUg8QEvxxZ-+OZTPaoe0jJ98-RLAj25g@mail.gmail.com>
Chrome should at least be attempting to block the load ( https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/html/HTMLAppletElement.cpp&rcl=1384651644&l=134), but plugin loading code is a strange and scary mess. I certainly can believe that I screwed that up. Can you point us to a demo so we can clean up our implementations? -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores On Wed, Nov 13, 2013 at 11:10 PM, Erik Larsson <erik.jp.larsson@gmail.com>wrote: > Hi, > > I work with a web application that implements a pretty tight CSP and we > are seeing some odd behavior related to use of the <APPLET> tag. It seems > like no matter how strict our CSP is (Content-Security-Policy: default-src > 'none'; object-src ‘none’;), all three major browsers (Chrome, Firefox and > Safari) still let applets load when using the <APPLET> tag. It also looks > like Firefox allows applets to load through <EMBED> tags when the type > attribute is set to “application/x-java-applet”. All other content types > are properly blocked, so I am confident that my CSP header syntax is > correct. Does this sound like correct behavior? > > > The CSP specification (http://www.w3.org/TR/CSP/#object-src) seems to > explicitly state that loading Java Applets should be configurable using > default-src. Embed, Object and the Applet tags should all be covered, so it > is not clear to me why the <APPLET> tags are still allowed to load. It > almost seems like all three browsers are intentionally ignoring this tag, > which seems odd. > > > Any insight into this would be greatly appreciated. >
Received on Sunday, 17 November 2013 14:56:44 UTC