[webappsec] plugin-types directive for CLSIDs in IE

Issue-50 in our WebAppSec tracker refers to the need to specify syntax for using the plugin-types directive (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#plugin-types) with IE when it uses the CLSID method for identifying ActiveX embeds.  

I wonder if David Ross, Jacob Rossi or someone else at Microsoft can help us resolve this?

We could just allow a syntax much like the classid attribute, ("clsid: D27CDB6E-AE6D-11cf-96B8-444553540000") but perhaps no change is needed?

The Windows Registry under \\HKEY_CLASSES_ROOT\MIME\Database\Content Type\ has mappings from MIME Types to CLSIDs.  Are these reliably populated? (there seem to be a lot of them on my machine)  Can IE just use this to determine what CLSIDs are implied by a given MIME type in a plugin-types directive?

Thanks,

Brad

Received on Tuesday, 4 June 2013 00:19:16 UTC