On 8 Jan 2015, at 12:49, Mike West <mkwst@google.com> wrote:
>
> Note that `plugin-types` isn't the same as directives like `default-src`. The latter are "source list" directives, and generally fall back to `default-src`. `plugin-types` is a "media type list" directive, and does not fall back to `default-src`. For that reason, I think the consistency argument isn't particularly persuasive. The two directives have different grammars, do different things, and I don't see a real issue in making their behaviors distinct.
>
> If you don't want any restrictions on plugins based on their types, it makes sense to me not to include the directive. If you want to ensure that you don't have any plugins at all, it makes sense to me to use `object-src 'none'`. Having two ways of saying that doesn't seem like a helpful direction to go in.
Fair enough... and even if I did send 'none', all it would do is show a warning in the console (and still do as I would expect).
One other possible argument, 'none' does show the developer of a website has considered this directive :-P
Anyway (and just for my own reference), the list of directives that do (or do not) currently support 'none' include...
source-list (allows 'none')
base-uri
child-src
connect-src
default-src
font-src
form-action
frame-ancestors
frame-src
img-src
manifest-src
media-src
object-src
script-src
style-src
other (allows 'none')
referrer
other (not 'none')
reflected-xss
sandbox
report-uri
plugin-types