Re: [CSP] images loaded in object and embed

Hi,

On Aug 19, 2014, at 12:00 AM, Kevin Hill <khill@microsoft.com> wrote:

> For <object> and <embed> tags loading images, what directive(s) apply?  The spec indicates that object-src is for plugins, and img-src is for images – it doesn’t describe what to do for images loaded through these elements.  Here the current behaviors in some browsers:
> ·       Chrome
> o   For <embed> or <object> to an SVG file, both the object-src and the frame-src directives are applied
> o   For <object> to a PNG file, no policy is applied (seems to be a bug)
> ·       Firefox
> o   For <embed> or <object> to an SVG file, the object-src directive is applied
> o   For <object> to a PNG file, the object-src directive is applied
> ·       IE
> o   For <embed> or <object> to an SVG file, frame-src directive is applied
> o   For <object> to a PNG file, the img-src directive is applied
>  
> Since it isn’t clear we are not sure what to do, although it looks like using object-src is the likely avenue to take.

I think the SVG WG would be interested in that question as well. Adding www-svg.

Greetings,
Dirk

Received on Tuesday, 19 August 2014 04:49:25 UTC