Consider the following Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none' It should not allow to load any Java applets on the page and indeed on a test page that uses an <applet> tag the applet is not loaded. Yet this does not block an applet that is loaded via <EMBED>. To reproduce, put the attached applet_test.html to a location with CSP configured as above. Load the page and activate if necessary Java for the page. The expected result should be that the applet is not run. The actual result is that applet is loaded, run and displays a message in Norwegian. Note that the applet that the page inserts into the document is signed and is used in Norway as a part of logging in many online banks. Another note is that Chrome 32 properly blocks the applet. However, if the CSP is changed to (removing object-src 'none') default-src 'self' 'unsafe-inline' 'unsafe-eval' then Chrome 32 loads and runs the applet as well.

Potentially this one got fixed by Bug 908933, but we should double check.

The HTML <applet> element and related java functionality was removed from Gecko in Bug 1279218. Marking related bugs as invalid.