ACTION-156: CSP: Clarify plugin-src behavior: if able to determine resource, self or none
CSP: Clarify plugin-src behavior: if able to determine resource, self or none
- State:
- pending review
- Person:
- Mike West
- Due on:
- November 1, 2014
- Created on:
- November 19, 2013
- Associated Product:
- CSP Level 2
- Related emails:
- No related emails
Related notes:
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0001.html
http://www.w3.org/2011/webappsec/minutes/2013-11-19-webappsec-minutes.html#item06
Current text says:
"Whenever the user agent would load a plugin without an associated URI (e.g., because the object element lacked a data attribute), if the protected resource’s URI does not match the allowed object sources, the user agent MUST NOT load the plugin."
Seems to imply consensus behavior (block on 'none', allow on 'self')
Display change log.