W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP3] Allow plugin-types "none"

From: Mike West <mkwst@google.com>
Date: Thu, 8 Jan 2015 11:37:21 +0100
Message-ID: <CAKXHy=erspRh8P0ss9B_H2bEbT9EH4=Wt65MJTCC=ihJ3P0RPw@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I don't understand the use case. This should be addressed by `object-src
'none'`, shouldn't it?

In particular, I don't understand the notion of a default which can be
overridden as needed. If `plugin-types 'none'` was set, how would you allow
something in the future?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Dec 30, 2014 at 8:31 PM, Brad Hill <hillbrad@gmail.com> wrote:

> https://www.w3.org/2011/webappsec/track/issues/74
>
>
> On Tue Dec 30 2014 at 10:32:17 AM Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>
>> Hi,
>>
>> In regards to the plugin-types:
>>
>>
>> http://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types
>>
>> Google Chrome (v40) complains if you set 'none' for the plugin-types
>> directive (or leave it blank).
>>
>>
>> https://groups.google.com/a/chromium.org/d/msg/security-dev/UqCSmNUHhNg/XBlvV_E5eowJ
>>
>> I would personally prefer to have this option, so the default for the
>> website is to always return 'none', then plugin-types can be set as needed
>> (along with the object-src).
>>
>> Craig
>>
>
Received on Thursday, 8 January 2015 10:38:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC