ISSUE-10: Processing model for object element and frame-src directive

Processing model for object element and frame-src directive

State:
CLOSED
Product:
CSP Level 1
Raised by:
Brad Hill
Opened on:
2012-01-17
Description:
Section 4.7 of Content Security policy:

Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed frame sources, the user agent must act as if it had received an empty HTTP 400 response:
•Requesting data for display in a frame, such as when processing the src attribute of an iframe or frame element.
•Navigating a nested browsing context within the protected document.


Issue: How does this work for the object element? We don't know whether the request is going to lead to a plug-in or a frame until we get the response back and can look at the MIME type.
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

No additional notes.

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 10.html,v 1.1 2020/01/17 08:52:19 carcone Exp $