I don't understand the use case. This should be addressed by `object-src 'none'`, shouldn't it? In particular, I don't understand the notion of a default which can be overridden as needed. If `plugin-types 'none'` was set, how would you allow something in the future? -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Dec 30, 2014 at 8:31 PM, Brad Hill <hillbrad@gmail.com> wrote: > https://www.w3.org/2011/webappsec/track/issues/74 > > > On Tue Dec 30 2014 at 10:32:17 AM Craig Francis <craig@craigfrancis.co.uk> > wrote: > >> Hi, >> >> In regards to the plugin-types: >> >> >> http://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types >> >> Google Chrome (v40) complains if you set 'none' for the plugin-types >> directive (or leave it blank). >> >> >> https://groups.google.com/a/chromium.org/d/msg/security-dev/UqCSmNUHhNg/XBlvV_E5eowJ >> >> I would personally prefer to have this option, so the default for the >> website is to always return 'none', then plugin-types can be set as needed >> (along with the object-src). >> >> Craig >> >
Received on Thursday, 8 January 2015 10:38:09 UTC