Re: [CSP3] Allow plugin-types "none" from Craig Francis on 2015-01-08 (public-webappsec@w3.org from January 2015)

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Thu, 8 Jan 2015 12:38:44 +0000
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <70CCAA67-24B7-433F-9BC1-D13E864D6E77@craigfrancis.co.uk>

Hi Mike,

It is addressed by `object-src 'none'`, but I'm hoping for some consistency with the other directives :-)

---

For reference I'm playing with a setup where the CSP header is created (server side) as an array... starting with something like:

	$csp = array(
			'default-src'  => array("'none'"),
			'object-src'   => array('/'),
			'plugin-types' => array(),
			'form-action'  => array('/'),
			'style-src'    => array('/a/css/'),
			'img-src'      => array('/a/img/', 'https://www.google-analytics.com'),
			'script-src'   => array('/a/js/', 'https://www.google-analytics.com'),
		);

The paths are converted into 'self' (older browsers), or a domain + path, see issue 73:

https://www.w3.org/2011/webappsec/track/issues/73

Anyway, on a particular page, it might add to the plugin types array with:

	$csp['plugin-types'] = 'application/pdf';

Noting that there is a default of allowing objects from anywhere on the current domain (which is probably not a good default).

Then if for any directives that has an empty array, it can use 'none'... which I think is better than excluding the directive (whatever that may be, e.g. 'script-src'), and allowing it to fall back to the 'default-src'.

Craig




On 8 Jan 2015, at 10:37, Mike West <mkwst@google.com> wrote:

> I don't understand the use case. This should be addressed by `object-src 'none'`, shouldn't it?
> 
> In particular, I don't understand the notion of a default which can be overridden as needed. If `plugin-types 'none'` was set, how would you allow something in the future?
> 
> -mike
> 
> --
> Mike West <mkwst@google.com>, @mikewest
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 
> On Tue, Dec 30, 2014 at 8:31 PM, Brad Hill <hillbrad@gmail.com> wrote:
> https://www.w3.org/2011/webappsec/track/issues/74
> 
> 
> On Tue Dec 30 2014 at 10:32:17 AM Craig Francis <craig@craigfrancis.co.uk> wrote:
> Hi,
> 
> In regards to the plugin-types:
> 
> http://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types
> 
> Google Chrome (v40) complains if you set 'none' for the plugin-types directive (or leave it blank).
> 
> https://groups.google.com/a/chromium.org/d/msg/security-dev/UqCSmNUHhNg/XBlvV_E5eowJ
> 
> I would personally prefer to have this option, so the default for the website is to always return 'none', then plugin-types can be set as needed (along with the object-src).
> 
> Craig
>

Received on Thursday, 8 January 2015 12:39:14 UTC