Summary: | CSP blocks src-less plugins when enabled | ||
---|---|---|---|
Product: | WebKit | Reporter: | David Benjamin <davidben> |
Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Normal | CC: | abarth, sam |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://davidben.net/csp-test.html | ||
Bug Depends on: | |||
Bug Blocks: | 53572 |
Description
David Benjamin
2011-10-19 17:46:18 PDT
There was a thread about this on the public-web-security mailing list. There wasn't a clear resolution about what to do with URL-less plugins. My sense is that they should be treated as having the URL of the enclosing page, which would let you block them with 'none' for example. |