[CSP] images loaded in object and embed from Kevin Hill on 2014-08-18 (public-webappsec@w3.org from August 2014)

From: Kevin Hill <khill@microsoft.com>
Date: Mon, 18 Aug 2014 22:00:46 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <e6be85f1b97e4039a07bbf134945898f@SN2PR03MB031.namprd03.prod.outlook.com>

For <object> and <embed> tags loading images, what directive(s) apply?  The spec indicates that object-src is for plugins, and img-src is for images - it doesn't describe what to do for images loaded through these elements.  Here the current behaviors in some browsers:

*       Chrome

o   For <embed> or <object> to an SVG file, both the object-src and the frame-src directives are applied

o   For <object> to a PNG file, no policy is applied (seems to be a bug)

*       Firefox

o   For <embed> or <object> to an SVG file, the object-src directive is applied

o   For <object> to a PNG file, the object-src directive is applied

*       IE

o   For <embed> or <object> to an SVG file, frame-src directive is applied

o   For <object> to a PNG file, the img-src directive is applied

Since it isn't clear we are not sure what to do, although it looks like using object-src is the likely avenue to take.

Received on Monday, 18 August 2014 22:01:34 UTC