Bug 70463

Having a Content-Security-Policy enabled blocks <embed> tags without a src attribute. I've put together a quick test case at http://davidben.net/csp-test.html It sends "default-src 'self'" on both X-WebKit-CSP and X-Content-Security-Policy. The contents are a Flash applet with no src and an image from another site just to make sure CSP is working at all. In the latest Chromium nightly, both are blocked and I get Refused to load object from '' because of Content-Security-Policy. in the console. In Firefox only the image is blocked, and I get an (uninteresting) Flash applet. But Flash does still load. I think it makes more sense for CSP not to trigger here since nothing from another origin is actually being loaded (and this block can be circumvented by putting in a dummy src from the same origin anyway). This is particularly relevant if I want to turn on CSP for a Chrome extension that embeds an NPAPI plugin into the background page; they're often src-less, including in the example. http://code.google.com/chrome/extensions/npapi.html