Re: Plugin data (was Re: Comments on Mixed Content)

On Thu, Jan 15, 2015 at 11:39 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:

>  Pulling out the section on plugin data.  Right now, the spec treats
> subrequests initiated by plugins as optionally blockable.
>

The spec actually considers them "blockable", similar to XHR (see
https://w3c.github.io/webappsec/specs/mixedcontent/#category-optionally-blockable;
plugin data requests should be tagged with a request context of "plugin",
which isn't listed as one of the optionally blockable contexts).


> Such requests might be for script subresources or they might be for image
> subresources, but either way they are categorized as optionally blockable.
> Since the plugin is the one requesting the resource, it is hard for the
> user agent to tell if the request is for content that should be
> blockable[1].  In order to avoid blocking optionally blockable content,
> user agents have categorized this as optionally blockable even though some
> of the content warrants blocking.
>

I don't have a solid timeline yet (waiting on numbers), but Chrome's intent
is to begin blocking all insecure plugin requests At Some Point In The
Relatively Near Future™. We can do this for PPAPI, as it uses our network
stack. We can't do it for NPAPI, but we're addressing that in other ways.


> As Mike has suggested below, should we add requirements for plugins?  We
> could add text that says plugins must not request blockable content in a
> secure context.
>

I'm happy to add some text somewhere to that effect. It's not clear to me
that plugin vendors will particularly care about being compliant, but we
can ask nicely. :)

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)