Closed
Bug 972361
Opened 11 years ago
Closed 7 years ago
[CSP] Applets loaded via <embed> tag ignore CSP
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: igor, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
Attachments
(1 file)
2.15 KB,
text/plain
|
Details |
Consider the following Content-Security-Policy:
default-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'
It should not allow to load any Java applets on the page and indeed on a test page that uses an <applet> tag the applet is not loaded. Yet this does not block an applet that is loaded via <EMBED>.
To reproduce, put the attached applet_test.html to a location with CSP configured as above.
Load the page and activate if necessary Java for the page.
The expected result should be that the applet is not run.
The actual result is that applet is loaded, run and displays a message in Norwegian.
Note that the applet that the page inserts into the document is signed and is used in Norway as a part of logging in many online banks.
Another note is that Chrome 32 properly blocks the applet. However, if the CSP is changed to (removing object-src 'none')
default-src 'self' 'unsafe-inline' 'unsafe-eval'
then Chrome 32 loads and runs the applet as well.
Comment 1•9 years ago
|
||
Potentially this one got fixed by Bug 908933, but we should double check.
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]
Comment 2•7 years ago
|
||
The HTML <applet> element and related java functionality was removed from Gecko in Bug 1279218. Marking related bugs as invalid.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•