- From: Mike West <mkwst@google.com>
- Date: Tue, 19 Aug 2014 06:41:01 +0200
- To: Kevin Hill <khill@microsoft.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=fTp+43a9px-motJjEfFh23jFfAS56C-cKw+OMSzObgug@mail.gmail.com>
The spec addresses this in https://w3c.github.io/webappsec/specs/content-security-policy/#directive-object-src. In short, anything loaded by an <object> or <embed> tag ought to be governed by 'object-src'. In long: "It is not required that the consumer of the element’s data be a plugin in order for the object-src directive to be enforced. Data for any object, embed, or applet element MUST match the allowed object sources in order to be fetched. This is true even when the element data is semantically equivalent to content which would otherwise be restricted by one of the other directives, such as an object element with a text/html MIME type." It looks like Chrome's code is doing something wacky with images; I'll take a look at that. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Aug 19, 2014 at 12:00 AM, Kevin Hill <khill@microsoft.com> wrote: > For <object> and <embed> tags loading images, what directive(s) apply? > The spec indicates that *object-src* is for plugins, and *img-src* is for > images – it doesn’t describe what to do for images loaded through these > elements. Here the current behaviors in some browsers: > > · Chrome > > o For <embed> or <object> to an SVG file, both the * object-src* and > the *frame-src* directives are applied > > o For <object> to a PNG file, no policy is applied (seems to be a bug) > > · Firefox > > o For <embed> or <object> to an SVG file, the *object-src* directive is > applied > > o For <object> to a PNG file, the *object-src* directive is applied > > · IE > > o For <embed> or <object> to an SVG file, *frame-src* directive is > applied > > o For <object> to a PNG file, the *img-src* directive is applied > > > > Since it isn’t clear we are not sure what to do, although it looks like > using object-src is the likely avenue to take. >
Received on Tuesday, 19 August 2014 04:41:49 UTC