Java and CSP

[FunkyRes]

I'm working on a blog software that will allow users to take advantage
of the new video and audio tags, falling back to cortado.

[video=w320h240]/media/ogg/bfw-trailer-320x240.ogv[/video]

would expand to

<video controls="controls" width="320" height="240">
<source src="/media/ogg/bfw-trailer-320x240.ogv" type="video/ogg">
<object type="application/x-java-applet" width="320" height="240">
<param name="archive" value="http://theora.org/cortado.jar">
<param name="code" value="com.fluendo.player.Cortado.class">
<param name="url" value="/media/ogg/bfw-trailer-320x240.ogv">
<param name="autoPlay" value="false">
</object>
</video>

Obviously the domain of the ogg file would have to be white-listed in
object-src and media-src but where do I need to specify (in this
example) theora.org as white listed? Would that be in the object-src
as well?

[Sid Stamm]

On 7/11/09 1:12 PM, FunkyRes wrote:
> <video controls="controls" width="320" height="240">
> <source src="/media/ogg/bfw-trailer-320x240.ogv" type="video/ogg">
> <object type="application/x-java-applet" width="320" height="240">
> <param name="archive" value="http://theora.org/cortado.jar">
> <param name="code" value="com.fluendo.player.Cortado.class">
> <param name="url" value="/media/ogg/bfw-trailer-320x240.ogv">
> <param name="autoPlay" value="false">
> </object>
> </video>
>
> Obviously the domain of the ogg file would have to be white-listed in
> object-src and media-src but where do I need to specify (in this
> example) theora.org as white listed? Would that be in the object-src
> as well?

Yes. media-src applies to the media used in <video>, and all data
loaded for the <object> tag is subject to object-src. So for this
example above, the minimum policy would be:

"allow none; media-src self; object-src self theora.org"

-Sid