- From: Mike West <mkwst@google.com>
- Date: Mon, 23 Jul 2012 00:28:46 -0500
- To: public-webappsec@w3.org
- Message-ID: <CAKXHy=dn17K4c8LFy7+S7mjyqEa8Fm5gzAh+ELVE=3GM+Tq3AA@mail.gmail.com>
Hello, public-webappsec! I'm in the process of putting together an experimental implementation of the `plugin-types` directive[1], and ran into a question that should probably be discussed here. What should we do when presented with a directive that contains invalid plugin types? For example, if a user agent receives `Content-Security-Policy: plugin-types application/pdf foobar image/jpg;`, we have at least two options: 1. Ignore items in the list that don't look like MIME types. This is what we do in the various *-src directives, as it leaves room for future additions to the policy syntax. This option would leave PDF and JPG content as whitelisted. 2. Treat any recognizably invalid item (one containing invalid characters, or one not in the form `type/subtype`) as a reason to fail loudly, as we do with `script-nonce`. This option would set the allowed plugin media types to the empty set. I lean towards #2 as it seems less likely to leave a developer with the mistaken impression that her directive is working the way she expects (and tweaked the editor's draft to that effect over the weekend[2]). Still, the security risk of simply ignoring invalid items is probably quite low, so expansion of the syntax might be a good reason to opt for #1 instead. Thoughts? Thanks! [1]: https://bugs.webkit.org/show_bug.cgi?id=91919 [2]: https://dvcs.w3.org/hg/content-security-policy/rev/5e6fdb226239 -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 23 July 2012 05:29:36 UTC