Thanks for the feedback. I'm convinced I was wrong. I've just pushed https://dvcs.w3.org/hg/content-security-policy/rev/4700cb782553 which reverts the draconian behavior in favor of simply ignoring invalid media types. Copy/pasting the commit message here: --- CSP 1.1: `plugin-types` no longer parses in a draconian fashion. After a bit of discussion[1], it seems that there's consensus to revert the earlier change to `plugin-types`'s behavior with regard to grammatically invalid media types. Given `plugin-types invalid application/pdf;`, the policy will allow resources of type `application/pdf` to load, and simply ignore the `invalid` media type. Two reasons for this change: 1. `plugin-types`, unlike `script-nonce`, fails closed. That is, it defaults to an empty set of media types, and only allows those it understands. A draconian policy doesn't really enhance this effect[2]. 2. We'd like to retain the ability to extend the media type list grammar in the future, perhaps by adding hosts[3]. [1]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0073.html [2]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0077.html [3]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0078.html --- Thanks! -mike
Received on Friday, 27 July 2012 15:16:07 UTC