ACTION-156: CSP: Clarify plugin-src behavior: if able to determine resource, self or none

CSP: Clarify plugin-src behavior: if able to determine resource, self or none

State:
pending review
Person:
Mike West
Due on:
November 1, 2014
Created on:
November 19, 2013
Associated Product:
CSP Level 2
Related emails:
No related emails

Related notes:

http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0001.html
http://www.w3.org/2011/webappsec/minutes/2013-11-19-webappsec-minutes.html#item06

Current text says:

"Whenever the user agent would load a plugin without an associated URI (e.g., because the object element lacked a data attribute), if the protected resource’s URI does not match the allowed object sources, the user agent MUST NOT load the plugin."

Seems to imply consensus behavior (block on 'none', allow on 'self')

Brad Hill, 27 Oct 2014, 03:45:12

Display change log.


Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 156.html,v 1.1 2020/01/17 08:51:26 carcone Exp $