Re: CSP 1.1: `plugin-types`, and explicit type declaration.

To formalize this follow up, I've added a strawman description of the type
declaration enforcement to the 1.1 draft[1]. Feedback is welcome. :)

[1]: https://dvcs.w3.org/hg/content-security-policy/rev/5b353a8ac072

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Sat, Aug 18, 2012 at 9:38 PM, Mike West <mkwst@google.com> wrote:

> To follow up on this, an experimental implementation of 'plugin-types'
> that exhibits the behavior discussed here landed in WebKit last week[1].
> I'd appreciate any feedback you have about the way it works.
>
> [1]: http://trac.webkit.org/changeset/125531
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
>
> On Tue, Aug 7, 2012 at 4:13 PM, Mike West <mkwst@google.com> wrote:
>
>> Hello, public-webappsec!
>>
>> While fiddling around with an experimental WebKit implementation of the
>> `plugin-types` directive[1], we realized that the implementation can be
>> greatly simplified by requiring that the browser behave as though
>> `typemustmatch`[2] is set on the element loading the plugin.
>>
>> In a nutshell, this would require web authors to explicitly declare the
>> type of the plugin they'd like to load by adding a `type` attribute to the
>> `object` element. The plugin then only loads if the MIME type of the
>> resource that's loaded actually matches that declared type. Given
>> `plugin-types application/x-shockwave-flash application/pdf`:
>>
>> * `<object data="awesomeflash.swf"
>> type="application/x-shockwave-flash"></object>` would load.
>>
>> * `<object data="awesomeflash.swf"
>> type="application/x-not-flash"></object>` would not, as the declared type
>> isn't whitelisted.
>>
>> * `<object data="awesomeflash.swf" type="application/pdf"></object>`
>> would not, as the declared type doesn't match the resource type.
>>
>> * `<object data="awesomeflash.swf"></object>` would not, as it has no
>> declared type.
>>
>> This has some nice security properties (preventing confusion attacks) at
>> fairly minimal cost to the developer. In fact, I believe Chromium turns
>> this behavior on by default, regardless of the presence of the
>> `typemustmatch` attribute.
>>
>> What do you think about adjusting the spec to make this behavior required
>> if the `plugin-types` directive is set?
>>
>> Thanks!
>>
>> [1]: http://webk.it/91919
>> [2]:
>> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-object-typemustmatch
>>
>> --
>> Mike West <mkwst@google.com>, Developer Advocate
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>
>
>

Received on Sunday, 26 August 2012 15:00:32 UTC