On 7/11/09 1:12 PM, FunkyRes wrote:
<video controls="controls" width="320" height="240"> <source src="/media/ogg/bfw-trailer-320x240.ogv" type="video/ogg"> <object type="application/x-java-applet" width="320" height="240"> <param name="archive" value="http://theora.org/cortado.jar";> <param name="code" value="com.fluendo.player.Cortado.class"> <param name="url" value="/media/ogg/bfw-trailer-320x240.ogv"> <param name="autoPlay" value="false"> </object> </video>Obviously the domain of the ogg file would have to be white-listed in object-src and media-src but where do I need to specify (in this example) theora.org as white listed? Would that be in the object-src as well?
Yes. media-src applies to the media used in <video>, and all data loaded for the <object> tag is subject to object-src. So for this example above, the minimum policy would be:
"allow none; media-src self; object-src self theora.org" -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
