W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: Behavior when presented with an invalid plugin-types directive?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 23 Jul 2012 16:32:01 -0700
Message-ID: <500DDEF1.3000204@mozilla.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, Odin Hørthe Omdal <odinho@opera.com>, public-webappsec@w3.org
On 7/23/12 4:09 PM, Devdatta Akhawe wrote:
> I agree with Mike and like #2 more. [...]
> 
> Note that Mike's suggestion allows for application/foobar, where
> application/foobar is not a mime type that the browser knows what to
> do with (and the browser could say that in the console). But it will
> fail loudly for just application (e.g., if developer mistakenly put a
> space and typed out application / foobar )

In the common case they're both about the same: most of the time
pages will have one plugin and "application/ foobar" will fail to
load it. If developers are testing their site they'll notice under
option #1, and if they aren't testing then failing more with option
#2 is unlikely to help much.

Option 1 had the benefit of allowing for future expansion, although
I can't imagine what that would be at this time.

-Dan
Received on Monday, 23 July 2012 23:32:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 23 July 2012 23:32:44 GMT