W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

why does plugin-types inherit to nested browsing contexts?

From: Emily Stark <estark@google.com>
Date: Wed, 25 Feb 2015 14:20:48 -0800
Message-ID: <CAPP_2SaJEvEZ7_B+6Cb_a3-s=y9i=nuZocK4+-FAmGsAbHjRUA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
While investigating a few CSP bugs in Chrome, I noticed this text in the
CSP 1.1 spec for plugin-types:

"Whenever the user agent creates a plugin document in a browsing context
nested in the protected resource, if the user agent is enforcing any
plugin-typesdirectives for the protected resource, the user agent must
enforce those plugin-types directives on the plugin document as well."
(http://www.w3.org/TR/2014/WD-CSP11-20140211/#plugin-types)

Dev (cc'ed) and I found this behavior a little odd and were wondering why
plugin-types is inherited. Is the goal to give a developer a way to say
"don't allow Flash to appear anywhere in the content area of my page?" Why
is this directive inherited but not any others?

Thanks,
Emily
Received on Wednesday, 25 February 2015 22:21:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC