[Webkit-unassigned] [Bug 92396] New: CSP directive `object-src 'none'` should block loading of content in objects.

Thu Jul 26 10:36:09 PDT 2012

https://bugs.webkit.org/show_bug.cgi?id=92396

           Summary: CSP directive `object-src 'none'` should block loading
                    of content in objects.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mkwst at chromium.org
                CC: abarth at webkit.org

The attached test gives results that I don't understand; I think that setting `object-src 'none'` should block the image from being loaded via the `object` tag (see the spec: "It is not required that the consumer of the element's data be a plugin in order for the object-src directive to be enforced. ...").

I'm not sure if the behavior I'm seeing is a bug in my understanding of plugins, or a bug in our CSP implementations (or a bug in my test, I suppose).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.