Thanks for the feedback. I'm convinced I was wrong. I've just pushed
https://dvcs.w3.org/hg/content-security-policy/rev/4700cb782553 which
reverts the draconian behavior in favor of simply ignoring invalid media
types. Copy/pasting the commit message here:
---
CSP 1.1: `plugin-types` no longer parses in a draconian fashion.
After a bit of discussion[1], it seems that there's consensus to revert the
earlier change to `plugin-types`'s behavior with regard to grammatically
invalid
media types. Given `plugin-types invalid application/pdf;`, the policy will
allow resources of type `application/pdf` to load, and simply ignore the
`invalid` media type.
Two reasons for this change:
1. `plugin-types`, unlike `script-nonce`, fails closed. That is, it
defaults to
an empty set of media types, and only allows those it understands. A
draconian policy doesn't really enhance this effect[2].
2. We'd like to retain the ability to extend the media type list grammar in
the
future, perhaps by adding hosts[3].
[1]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0073.html
[2]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0077.html
[3]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0078.html
---
Thanks!
-mike