W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [CSP3] Allow plugin-types "none"

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 30 Dec 2014 19:31:10 +0000
Message-ID: <CAEeYn8jFsLBsr3Q6mwyyONke_-_oScL1+qwi+kOf2CzK4VR=yw@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>, public-webappsec@w3.org
https://www.w3.org/2011/webappsec/track/issues/74

On Tue Dec 30 2014 at 10:32:17 AM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> Hi,
>
> In regards to the plugin-types:
>
>
> http://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types
>
> Google Chrome (v40) complains if you set 'none' for the plugin-types
> directive (or leave it blank).
>
>
> https://groups.google.com/a/chromium.org/d/msg/security-dev/UqCSmNUHhNg/XBlvV_E5eowJ
>
> I would personally prefer to have this option, so the default for the
> website is to always return 'none', then plugin-types can be set as needed
> (along with the object-src).
>
> Craig
>
Received on Tuesday, 30 December 2014 19:31:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC