[Webkit-unassigned] [Bug 70463] New: CSP blocks src-less plugins when enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 19 17:46:18 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=70463
Summary: CSP blocks src-less plugins when enabled
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
URL: http://davidben.net/csp-test.html
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: davidben at mit.edu
Having a Content-Security-Policy enabled blocks <embed> tags without a src attribute. I've put together a quick test case at
http://davidben.net/csp-test.html
It sends "default-src 'self'" on both X-WebKit-CSP and X-Content-Security-Policy. The contents are a Flash applet with no src and an image from another site just to make sure CSP is working at all. In the latest Chromium nightly, both are blocked and I get
Refused to load object from '' because of Content-Security-Policy.
in the console. In Firefox only the image is blocked, and I get an (uninteresting) Flash applet. But Flash does still load. I think it makes more sense for CSP not to trigger here since nothing from another origin is actually being loaded (and this block can be circumvented by putting in a dummy src from the same origin anyway). This is particularly relevant if I want to turn on CSP for a Chrome extension that embeds an NPAPI plugin into the background page; they're often src-less, including in the example.
http://code.google.com/chrome/extensions/npapi.html
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list