Re: [CSP3] Allow plugin-types "none"

On Thu, Jan 8, 2015 at 1:38 PM, Craig Francis <craig@craigfrancis.co.uk>
wrote:

>
> Noting that there is a default of allowing objects from anywhere on the
> current domain (which is probably not a good default).
>

It's a better default than allowing them from anywhere. :)


> Then if for any directives that has an empty array, it can use 'none'...
> which I think is better than excluding the directive (whatever that may be,
> e.g. 'script-src'), and allowing it to fall back to the 'default-src'.
>

Note that `plugin-types` isn't the same as directives like `default-src`.
The latter are "source list
<https://w3c.github.io/webappsec/specs/content-security-policy/#source-list>"
directives, and generally fall back to `default-src`. `plugin-types`
is a "media
type list
<https://w3c.github.io/webappsec/specs/content-security-policy/#media-type-list>"
directive, and does not fall back to `default-src`. For that reason, I
think the consistency argument isn't particularly persuasive. The two
directives have different grammars, do different things, and I don't see a
real issue in making their behaviors distinct.

If you don't want any restrictions on plugins based on their types, it
makes sense to me not to include the directive. If you want to ensure that
you don't have any plugins at all, it makes sense to me to use `object-src
'none'`. Having two ways of saying that doesn't seem like a helpful
direction to go in.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)