W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2012

CSP 1.1: `plugin-types`, and explicit type declaration.

From: Mike West <mkwst@google.com>
Date: Tue, 7 Aug 2012 16:13:14 +0200
Message-ID: <CAKXHy=dMZmfb8Sz8KiAf956i8WKG=60gS16Ln4++XvuqZyxWZw@mail.gmail.com>
To: public-webappsec@w3.org
Hello, public-webappsec!

While fiddling around with an experimental WebKit implementation of the
`plugin-types` directive[1], we realized that the implementation can be
greatly simplified by requiring that the browser behave as though
`typemustmatch`[2] is set on the element loading the plugin.

In a nutshell, this would require web authors to explicitly declare the
type of the plugin they'd like to load by adding a `type` attribute to the
`object` element. The plugin then only loads if the MIME type of the
resource that's loaded actually matches that declared type. Given
`plugin-types application/x-shockwave-flash application/pdf`:

* `<object data="awesomeflash.swf"
type="application/x-shockwave-flash"></object>` would load.

* `<object data="awesomeflash.swf"
type="application/x-not-flash"></object>` would not, as the declared type
isn't whitelisted.

* `<object data="awesomeflash.swf" type="application/pdf"></object>` would
not, as the declared type doesn't match the resource type.

* `<object data="awesomeflash.swf"></object>` would not, as it has no
declared type.

This has some nice security properties (preventing confusion attacks) at
fairly minimal cost to the developer. In fact, I believe Chromium turns
this behavior on by default, regardless of the presence of the
`typemustmatch` attribute.

What do you think about adjusting the spec to make this behavior required
if the `plugin-types` directive is set?


[1]: http://webk.it/91919

Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 7 August 2012 14:14:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC