W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: Behavior when presented with an invalid plugin-types directive?

From: Mike West <mkwst@google.com>
Date: Fri, 27 Jul 2012 17:15:15 +0200
Message-ID: <CAKXHy=eUjED7xqgWuEiWe2bfXnCmNodWO7k0Hf2dO9NV4iT-vQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Odin HÝrthe Omdal <odinho@opera.com>, public-webappsec@w3.org
Thanks for the feedback. I'm convinced I was wrong. I've just pushed
https://dvcs.w3.org/hg/content-security-policy/rev/4700cb782553 which
reverts the draconian behavior in favor of simply ignoring invalid media
types. Copy/pasting the commit message here:

---

CSP 1.1: `plugin-types` no longer parses in a draconian fashion.

After a bit of discussion[1], it seems that there's consensus to revert the
earlier change to `plugin-types`'s behavior with regard to grammatically
invalid
media types. Given `plugin-types invalid application/pdf;`, the policy will
allow resources of type `application/pdf` to load, and simply ignore the
`invalid` media type.

Two reasons for this change:

1. `plugin-types`, unlike `script-nonce`, fails closed. That is, it
defaults to
an empty set of media types, and only allows those it understands. A
draconian policy doesn't really enhance this effect[2].

2. We'd like to retain the ability to extend the media type list grammar in
the
future, perhaps by adding hosts[3].

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0073.html
[2]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0077.html
[3]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0078.html

---

Thanks!

-mike
Received on Friday, 27 July 2012 15:16:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 July 2012 15:16:08 GMT