Re: [CSP3] Allow plugin-types "none"

I don't understand the use case. This should be addressed by `object-src
'none'`, shouldn't it?

In particular, I don't understand the notion of a default which can be
overridden as needed. If `plugin-types 'none'` was set, how would you allow
something in the future?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Dec 30, 2014 at 8:31 PM, Brad Hill <hillbrad@gmail.com> wrote:

> https://www.w3.org/2011/webappsec/track/issues/74
>
>
> On Tue Dec 30 2014 at 10:32:17 AM Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>
>> Hi,
>>
>> In regards to the plugin-types:
>>
>>
>> http://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types
>>
>> Google Chrome (v40) complains if you set 'none' for the plugin-types
>> directive (or leave it blank).
>>
>>
>> https://groups.google.com/a/chromium.org/d/msg/security-dev/UqCSmNUHhNg/XBlvV_E5eowJ
>>
>> I would personally prefer to have this option, so the default for the
>> website is to always return 'none', then plugin-types can be set as needed
>> (along with the object-src).
>>
>> Craig
>>
>

Received on Thursday, 8 January 2015 10:38:09 UTC