webappsec-ISSUE-74 (plugin-types 'none'): allow explicitly setting the 'none' keyword source for plugin-type directive [CSP Level 3] from Web Application Security Working Group Issue Tracker on 2014-12-30 (public-webappsec@w3.org from December 2014)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 30 Dec 2014 19:31:04 +0000
To: public-webappsec@w3.org
Message-Id: <E1Y62VU-0003Eb-7x@stuart.w3.org>

webappsec-ISSUE-74 (plugin-types 'none'): allow explicitly setting the 'none' keyword source for plugin-type directive [CSP Level 3]

http://www.w3.org/2011/webappsec/track/issues/74

Raised by: Brad Hill
On product: CSP Level 3

Craig Francis (craig@craigfrancis.co.uk) to public-webappsec

Hi,

In regards to the plugin-types:

http://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types

Google Chrome (v40) complains if you set 'none' for the plugin-types directive (or leave it blank).

https://groups.google.com/a/chromium.org/d/msg/security-dev/UqCSmNUHhNg/XBlvV_E5eowJ

I would personally prefer to have this option, so the default for the website is to always return 'none', then plugin-types can be set as needed (along with the object-src).

Received on Tuesday, 30 December 2014 19:31:08 UTC