Re: CSP 1.1: `plugin-types`, and explicit type declaration. from Mike West on 2012-08-18 (public-webappsec@w3.org from August 2012)

From: Mike West <mkwst@google.com>
Date: Sat, 18 Aug 2012 21:38:38 +0200
To: public-webappsec@w3.org
Message-ID: <CAKXHy=fBN9yAG6Mo+65k+jVodSFXC0N5y5jBhRjgmX4kz_3eGw@mail.gmail.com>

To follow up on this, an experimental implementation of 'plugin-types' that
exhibits the behavior discussed here landed in WebKit last week[1]. I'd
appreciate any feedback you have about the way it works.

[1]: http://trac.webkit.org/changeset/125531

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Tue, Aug 7, 2012 at 4:13 PM, Mike West <mkwst@google.com> wrote:

> Hello, public-webappsec!
>
> While fiddling around with an experimental WebKit implementation of the
> `plugin-types` directive[1], we realized that the implementation can be
> greatly simplified by requiring that the browser behave as though
> `typemustmatch`[2] is set on the element loading the plugin.
>
> In a nutshell, this would require web authors to explicitly declare the
> type of the plugin they'd like to load by adding a `type` attribute to the
> `object` element. The plugin then only loads if the MIME type of the
> resource that's loaded actually matches that declared type. Given
> `plugin-types application/x-shockwave-flash application/pdf`:
>
> * `<object data="awesomeflash.swf"
> type="application/x-shockwave-flash"></object>` would load.
>
> * `<object data="awesomeflash.swf"
> type="application/x-not-flash"></object>` would not, as the declared type
> isn't whitelisted.
>
> * `<object data="awesomeflash.swf" type="application/pdf"></object>` would
> not, as the declared type doesn't match the resource type.
>
> * `<object data="awesomeflash.swf"></object>` would not, as it has no
> declared type.
>
> This has some nice security properties (preventing confusion attacks) at
> fairly minimal cost to the developer. In fact, I believe Chromium turns
> this behavior on by default, regardless of the presence of the
> `typemustmatch` attribute.
>
> What do you think about adjusting the spec to make this behavior required
> if the `plugin-types` directive is set?
>
> Thanks!
>
> [1]: http://webk.it/91919
> [2]:
> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-object-typemustmatch
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>

Received on Saturday, 18 August 2012 19:39:31 UTC