why does plugin-types inherit to nested browsing contexts? from Emily Stark on 2015-02-25 (public-webappsec@w3.org from February 2015)

From: Emily Stark <estark@google.com>
Date: Wed, 25 Feb 2015 14:20:48 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <CAPP_2SaJEvEZ7_B+6Cb_a3-s=y9i=nuZocK4+-FAmGsAbHjRUA@mail.gmail.com>

While investigating a few CSP bugs in Chrome, I noticed this text in the
CSP 1.1 spec for plugin-types:

"Whenever the user agent creates a plugin document in a browsing context
nested in the protected resource, if the user agent is enforcing any
plugin-typesdirectives for the protected resource, the user agent must
enforce those plugin-types directives on the plugin document as well."
(http://www.w3.org/TR/2014/WD-CSP11-20140211/#plugin-types)

Dev (cc'ed) and I found this behavior a little odd and were wondering why
plugin-types is inherited. Is the goal to give a developer a way to say
"don't allow Flash to appear anywhere in the content area of my page?" Why
is this directive inherited but not any others?

Thanks,
Emily

Received on Wednesday, 25 February 2015 22:21:36 UTC