CSP 1.1: `plugin-types`, and explicit type declaration.

Hello, public-webappsec!

While fiddling around with an experimental WebKit implementation of the
`plugin-types` directive[1], we realized that the implementation can be
greatly simplified by requiring that the browser behave as though
`typemustmatch`[2] is set on the element loading the plugin.

In a nutshell, this would require web authors to explicitly declare the
type of the plugin they'd like to load by adding a `type` attribute to the
`object` element. The plugin then only loads if the MIME type of the
resource that's loaded actually matches that declared type. Given
`plugin-types application/x-shockwave-flash application/pdf`:

* `<object data="awesomeflash.swf"
type="application/x-shockwave-flash"></object>` would load.

* `<object data="awesomeflash.swf"
type="application/x-not-flash"></object>` would not, as the declared type
isn't whitelisted.

* `<object data="awesomeflash.swf" type="application/pdf"></object>` would
not, as the declared type doesn't match the resource type.

* `<object data="awesomeflash.swf"></object>` would not, as it has no
declared type.

This has some nice security properties (preventing confusion attacks) at
fairly minimal cost to the developer. In fact, I believe Chromium turns
this behavior on by default, regardless of the presence of the
`typemustmatch` attribute.

What do you think about adjusting the spec to make this behavior required
if the `plugin-types` directive is set?

Thanks!

[1]: http://webk.it/91919
[2]:
http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-object-typemustmatch

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Tuesday, 7 August 2012 14:14:08 UTC