W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: why does plugin-types inherit to nested browsing contexts?

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 25 Feb 2015 22:39:21 +0000
Message-ID: <CAEeYn8gMLoUpj4cHf5uTUtvBmxXaGvhHvdNy5S0KWu5wAaS6=A@mail.gmail.com>
To: Emily Stark <estark@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
I'm going to guess this is due to some peculiarities in how Flash and PDF
allow embedding.  In this situation for CSP the plugin document is treated
like a script.  So e.g. a script can be loaded from "allowed.com" but can't
then inject another script element from "disallowed.com" if that's not in
policy.  Similarly, a SWF from "allowed.com" shouldn't be allowed to then
embed another SWF from "disallowed.com", or this would be a trivial bypass.

On Wed Feb 25 2015 at 2:23:17 PM Emily Stark <estark@google.com> wrote:

> While investigating a few CSP bugs in Chrome, I noticed this text in the
> CSP 1.1 spec for plugin-types:
>
> "Whenever the user agent creates a plugin document in a browsing context
> nested in the protected resource, if the user agent is enforcing any
> plugin-typesdirectives for the protected resource, the user agent must
> enforce those plugin-types directives on the plugin document as well."
> (http://www.w3.org/TR/2014/WD-CSP11-20140211/#plugin-types)
>
> Dev (cc'ed) and I found this behavior a little odd and were wondering why
> plugin-types is inherited. Is the goal to give a developer a way to say
> "don't allow Flash to appear anywhere in the content area of my page?" Why
> is this directive inherited but not any others?
>
> Thanks,
> Emily
>
Received on Wednesday, 25 February 2015 22:39:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC