[webappsec] plugin-types directive for CLSIDs in IE from Hill, Brad on 2013-06-04 (public-webappsec@w3.org from June 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 4 Jun 2013 00:18:42 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27AE339D@DEN-EXDDA-S12.corp.ebay.com>

Issue-50 in our WebAppSec tracker refers to the need to specify syntax for using the plugin-types directive (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#plugin-types) with IE when it uses the CLSID method for identifying ActiveX embeds.  

I wonder if David Ross, Jacob Rossi or someone else at Microsoft can help us resolve this?

We could just allow a syntax much like the classid attribute, ("clsid: D27CDB6E-AE6D-11cf-96B8-444553540000") but perhaps no change is needed?

The Windows Registry under \\HKEY_CLASSES_ROOT\MIME\Database\Content Type\ has mappings from MIME Types to CLSIDs.  Are these reliably populated? (there seem to be a lot of them on my machine)  Can IE just use this to determine what CLSIDs are implied by a given MIME type in a plugin-types directive?

Thanks,

Brad

Received on Tuesday, 4 June 2013 00:19:16 UTC