- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 27 Feb 2015 10:21:08 -0800
- To: Mike West <mkwst@google.com>
- Cc: Emily Stark <estark@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi > Can you enumerate the difference in privilege between a plugin embedded via > `<object>` and a plugin embedded via `<iframe>`? If there are real and > relevant differences, then it's probably reasonable to revisit both Blink's > implementation and the spec text. Well, to begin with, using an object tag I (or attacker during XSS) can pass in params like allowScriptAccess with a <param> tag. I don't think there is a way to do that with iframes. I hesitate to _enumerate_ anything because I also don't know and I know people like Peleus are on this mailing list and know a lot more about this. That said, I would argue that just allowScriptAccess is a good enough example of these concerns. > Loading a resource directly into a frame, on the other hand, doesn't have > the same feel. It seems clear to me that a developer who wants to block > plugins from executing on her site (via `object-src 'none'`) would expect a > plugin embedded directly in a frame to be blocked. But that still won't achieve the result you want because if you do object-src 'none' but allow frames to another site, that could load the object in its page. The developer has to specify frame-src to get the result you want. Separately, what about calling window.open on a plugin? Should object-src apply there? > > Why would you accept that, but not `object-src` applying to those loads? It > seems inconsistent with the rest of your argument, so I feel like I must be > missing something. > ohh absolutely. If we create a separate directive, it should totally apply to objects, images, fonts, etc. I just don't think it should inherit by default. cheers Dev
Received on Friday, 27 February 2015 18:21:56 UTC