Closed Bug 972361 Opened 10 years ago Closed 7 years ago

[CSP] Applets loaded via <embed> tag ignore CSP

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
28 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: igor, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

applet_test.html
2.15 KB, text/plain
Details
Attached file applet_test.html 
Consider the following Content-Security-Policy:

default-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'

It should not allow to load any Java applets on the page and indeed on a test page that uses an <applet> tag the applet is not loaded. Yet this does not block an applet that is loaded via <EMBED>.

To reproduce, put the attached applet_test.html to a location with CSP configured as above.

Load the page and activate if necessary Java for the page.

The expected result should be that the applet is not run.

The actual result is that applet is loaded, run and displays a message in Norwegian.

Note that the applet that the page inserts into the document is signed and is used in Norway as a part of logging in many online banks.

Another note is that Chrome 32 properly blocks the applet. However, if the CSP is changed to (removing object-src 'none')

default-src 'self' 'unsafe-inline' 'unsafe-eval'

then Chrome 32 loads and runs the applet as well.
Potentially this one got fixed by Bug 908933, but we should double check.
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]
The HTML <applet> element and related java functionality was removed from Gecko in Bug 1279218. Marking related bugs as invalid.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: