W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: why does plugin-types inherit to nested browsing contexts?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 27 Feb 2015 10:21:08 -0800
Message-ID: <CAPfop_09R40Ut2JXFS==gPf=Z5NcB1PEoVqgPxMgAyZHkXfppw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Emily Stark <estark@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>

> Can you enumerate the difference in privilege between a plugin embedded via
> `<object>` and a plugin embedded via `<iframe>`? If there are real and
> relevant differences, then it's probably reasonable to revisit both Blink's
> implementation and the spec text.

Well, to begin with, using an object tag I (or attacker during XSS)
can pass in params like allowScriptAccess with a <param> tag. I don't
think there is a way to do that with iframes. I hesitate to
_enumerate_ anything because I also don't know and I know people like
Peleus are on this mailing list and know a lot more about this. That
said, I would argue that just allowScriptAccess is a good enough
example of these concerns.

> Loading a resource directly into a frame, on the other hand, doesn't have
> the same feel. It seems clear to me that a developer who wants to block
> plugins from executing on her site (via `object-src 'none'`) would expect a
> plugin embedded directly in a frame to be blocked.

But that still won't achieve the result you want because if you do
object-src 'none' but allow frames to another site, that could load
the object in its page. The developer has to specify frame-src to get
the result you want.

Separately, what about calling window.open on a plugin? Should
object-src apply there?

> Why would you accept that, but not `object-src` applying to those loads? It
> seems inconsistent with the rest of your argument, so I feel like I must be
> missing something.

ohh absolutely. If we create a separate directive, it should totally
apply to objects, images, fonts, etc. I just don't think it should
inherit by default.

Received on Friday, 27 February 2015 18:21:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC