why does plugin-types inherit to nested browsing contexts?

While investigating a few CSP bugs in Chrome, I noticed this text in the
CSP 1.1 spec for plugin-types:

"Whenever the user agent creates a plugin document in a browsing context
nested in the protected resource, if the user agent is enforcing any
plugin-typesdirectives for the protected resource, the user agent must
enforce those plugin-types directives on the plugin document as well."

Dev (cc'ed) and I found this behavior a little odd and were wondering why
plugin-types is inherited. Is the goal to give a developer a way to say
"don't allow Flash to appear anywhere in the content area of my page?" Why
is this directive inherited but not any others?


Received on Wednesday, 25 February 2015 22:21:36 UTC