- From: Mike West <mkwst@google.com>
- Date: Sun, 26 Aug 2012 16:59:43 +0200
- To: public-webappsec@w3.org
- Cc: Adam Barth <w3c@adambarth.com>
- Message-ID: <CAKXHy=fhT-GqCPA6Gm_BAbe7x-fj_Lv1_GrCh9ckTLTGbB931w@mail.gmail.com>
To formalize this follow up, I've added a strawman description of the type declaration enforcement to the 1.1 draft[1]. Feedback is welcome. :) [1]: https://dvcs.w3.org/hg/content-security-policy/rev/5b353a8ac072 -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Sat, Aug 18, 2012 at 9:38 PM, Mike West <mkwst@google.com> wrote: > To follow up on this, an experimental implementation of 'plugin-types' > that exhibits the behavior discussed here landed in WebKit last week[1]. > I'd appreciate any feedback you have about the way it works. > > [1]: http://trac.webkit.org/changeset/125531 > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > > On Tue, Aug 7, 2012 at 4:13 PM, Mike West <mkwst@google.com> wrote: > >> Hello, public-webappsec! >> >> While fiddling around with an experimental WebKit implementation of the >> `plugin-types` directive[1], we realized that the implementation can be >> greatly simplified by requiring that the browser behave as though >> `typemustmatch`[2] is set on the element loading the plugin. >> >> In a nutshell, this would require web authors to explicitly declare the >> type of the plugin they'd like to load by adding a `type` attribute to the >> `object` element. The plugin then only loads if the MIME type of the >> resource that's loaded actually matches that declared type. Given >> `plugin-types application/x-shockwave-flash application/pdf`: >> >> * `<object data="awesomeflash.swf" >> type="application/x-shockwave-flash"></object>` would load. >> >> * `<object data="awesomeflash.swf" >> type="application/x-not-flash"></object>` would not, as the declared type >> isn't whitelisted. >> >> * `<object data="awesomeflash.swf" type="application/pdf"></object>` >> would not, as the declared type doesn't match the resource type. >> >> * `<object data="awesomeflash.swf"></object>` would not, as it has no >> declared type. >> >> This has some nice security properties (preventing confusion attacks) at >> fairly minimal cost to the developer. In fact, I believe Chromium turns >> this behavior on by default, regardless of the presence of the >> `typemustmatch` attribute. >> >> What do you think about adjusting the spec to make this behavior required >> if the `plugin-types` directive is set? >> >> Thanks! >> >> [1]: http://webk.it/91919 >> [2]: >> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-object-typemustmatch >> >> -- >> Mike West <mkwst@google.com>, Developer Advocate >> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany >> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 >> > >
Received on Sunday, 26 August 2012 15:00:32 UTC