- From: Mike West <mkwst@google.com>
- Date: Sat, 18 Aug 2012 21:38:38 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAKXHy=fBN9yAG6Mo+65k+jVodSFXC0N5y5jBhRjgmX4kz_3eGw@mail.gmail.com>
To follow up on this, an experimental implementation of 'plugin-types' that exhibits the behavior discussed here landed in WebKit last week[1]. I'd appreciate any feedback you have about the way it works. [1]: http://trac.webkit.org/changeset/125531 -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Tue, Aug 7, 2012 at 4:13 PM, Mike West <mkwst@google.com> wrote: > Hello, public-webappsec! > > While fiddling around with an experimental WebKit implementation of the > `plugin-types` directive[1], we realized that the implementation can be > greatly simplified by requiring that the browser behave as though > `typemustmatch`[2] is set on the element loading the plugin. > > In a nutshell, this would require web authors to explicitly declare the > type of the plugin they'd like to load by adding a `type` attribute to the > `object` element. The plugin then only loads if the MIME type of the > resource that's loaded actually matches that declared type. Given > `plugin-types application/x-shockwave-flash application/pdf`: > > * `<object data="awesomeflash.swf" > type="application/x-shockwave-flash"></object>` would load. > > * `<object data="awesomeflash.swf" > type="application/x-not-flash"></object>` would not, as the declared type > isn't whitelisted. > > * `<object data="awesomeflash.swf" type="application/pdf"></object>` would > not, as the declared type doesn't match the resource type. > > * `<object data="awesomeflash.swf"></object>` would not, as it has no > declared type. > > This has some nice security properties (preventing confusion attacks) at > fairly minimal cost to the developer. In fact, I believe Chromium turns > this behavior on by default, regardless of the presence of the > `typemustmatch` attribute. > > What do you think about adjusting the spec to make this behavior required > if the `plugin-types` directive is set? > > Thanks! > > [1]: http://webk.it/91919 > [2]: > http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-object-typemustmatch > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 >
Received on Saturday, 18 August 2012 19:39:31 UTC