- From: Mike West <mkwst@google.com>
- Date: Tue, 7 Aug 2012 16:13:14 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAKXHy=dMZmfb8Sz8KiAf956i8WKG=60gS16Ln4++XvuqZyxWZw@mail.gmail.com>
Hello, public-webappsec! While fiddling around with an experimental WebKit implementation of the `plugin-types` directive[1], we realized that the implementation can be greatly simplified by requiring that the browser behave as though `typemustmatch`[2] is set on the element loading the plugin. In a nutshell, this would require web authors to explicitly declare the type of the plugin they'd like to load by adding a `type` attribute to the `object` element. The plugin then only loads if the MIME type of the resource that's loaded actually matches that declared type. Given `plugin-types application/x-shockwave-flash application/pdf`: * `<object data="awesomeflash.swf" type="application/x-shockwave-flash"></object>` would load. * `<object data="awesomeflash.swf" type="application/x-not-flash"></object>` would not, as the declared type isn't whitelisted. * `<object data="awesomeflash.swf" type="application/pdf"></object>` would not, as the declared type doesn't match the resource type. * `<object data="awesomeflash.swf"></object>` would not, as it has no declared type. This has some nice security properties (preventing confusion attacks) at fairly minimal cost to the developer. In fact, I believe Chromium turns this behavior on by default, regardless of the presence of the `typemustmatch` attribute. What do you think about adjusting the spec to make this behavior required if the `plugin-types` directive is set? Thanks! [1]: http://webk.it/91919 [2]: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-object-typemustmatch -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 7 August 2012 14:14:08 UTC