W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

CSP 1.1: Behavior when presented with an invalid plugin-types directive?

From: Mike West <mkwst@google.com>
Date: Mon, 23 Jul 2012 00:28:46 -0500
Message-ID: <CAKXHy=dn17K4c8LFy7+S7mjyqEa8Fm5gzAh+ELVE=3GM+Tq3AA@mail.gmail.com>
To: public-webappsec@w3.org
Hello, public-webappsec!

I'm in the process of putting together an experimental implementation of
the `plugin-types` directive[1], and ran into a question that should
probably be discussed here. What should we do when presented with a
directive that contains invalid plugin types?

For example, if a user agent receives `Content-Security-Policy:
plugin-types application/pdf foobar image/jpg;`, we have at least two

1. Ignore items in the list that don't look like MIME types. This is what
we do in the various *-src directives, as it leaves room for future
additions to the policy syntax. This option would leave PDF and JPG content
as whitelisted.

2. Treat any recognizably invalid item (one containing invalid characters,
or one not in the form `type/subtype`) as a reason to fail loudly, as we do
with `script-nonce`. This option would set the allowed plugin media types
to the empty set.

I lean towards #2 as it seems less likely to leave a developer with the
mistaken impression that her directive is working the way she expects (and
tweaked the editor's draft to that effect over the weekend[2]). Still, the
security risk of simply ignoring invalid items is probably quite low,
so expansion of the syntax might be a good reason to opt for #1 instead.



[1]: https://bugs.webkit.org/show_bug.cgi?id=91919
[2]: https://dvcs.w3.org/hg/content-security-policy/rev/5e6fdb226239

Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 23 July 2012 05:29:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:59 UTC