Re: [CSP] images loaded in object and embed from Mike West on 2014-08-19 (public-webappsec@w3.org from August 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 19 Aug 2014 06:41:01 +0200
To: Kevin Hill <khill@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=fTp+43a9px-motJjEfFh23jFfAS56C-cKw+OMSzObgug@mail.gmail.com>

The spec addresses this in
https://w3c.github.io/webappsec/specs/content-security-policy/#directive-object-src.
In short, anything loaded by an <object> or <embed> tag ought to be
governed by 'object-src'. In long:

"It is not required that the consumer of the element’s data be a plugin in
order for the object-src directive to be enforced. Data for any object,
embed, or applet element MUST match the allowed object sources in order to
be fetched. This is true even when the element data is semantically
equivalent to content which would otherwise be restricted by one of the
other directives, such as an object element with a text/html MIME type."

It looks like Chrome's code is doing something wacky with images; I'll take
a look at that.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Aug 19, 2014 at 12:00 AM, Kevin Hill <khill@microsoft.com> wrote:

>  For <object> and <embed> tags loading images, what directive(s) apply?
> The spec indicates that *object-src* is for plugins, and *img-src* is for
> images – it doesn’t describe what to do for images loaded through these
> elements.  Here the current behaviors in some browsers:
>
> ·       Chrome
>
> o   For <embed> or <object> to an SVG file, both the * object-src* and
> the *frame-src* directives are applied
>
> o   For <object> to a PNG file, no policy is applied (seems to be a bug)
>
> ·       Firefox
>
> o   For <embed> or <object> to an SVG file, the *object-src* directive is
> applied
>
> o   For <object> to a PNG file, the *object-src* directive is applied
>
> ·       IE
>
> o   For <embed> or <object> to an SVG file, *frame-src* directive is
> applied
>
> o   For <object> to a PNG file, the *img-src* directive is applied
>
>
>
> Since it isn’t clear we are not sure what to do, although it looks like
> using object-src is the likely avenue to take.
>

Received on Tuesday, 19 August 2014 04:41:49 UTC