W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP3] Allow plugin-types "none"

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Thu, 8 Jan 2015 14:40:20 +0000
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <2E4EF8ED-E852-4598-8242-82E2B6265F95@craigfrancis.co.uk>
To: Mike West <mkwst@google.com>
On 8 Jan 2015, at 12:49, Mike West <mkwst@google.com> wrote:
> 
> Note that `plugin-types` isn't the same as directives like `default-src`. The latter are "source list" directives, and generally fall back to `default-src`. `plugin-types` is a "media type list" directive, and does not fall back to `default-src`. For that reason, I think the consistency argument isn't particularly persuasive. The two directives have different grammars, do different things, and I don't see a real issue in making their behaviors distinct.
> 
> If you don't want any restrictions on plugins based on their types, it makes sense to me not to include the directive. If you want to ensure that you don't have any plugins at all, it makes sense to me to use `object-src 'none'`. Having two ways of saying that doesn't seem like a helpful direction to go in.




Fair enough... and even if I did send 'none', all it would do is show a warning in the console (and still do as I would expect).

One other possible argument, 'none' does show the developer of a website has considered this directive :-P

Anyway (and just for my own reference), the list of directives that do (or do not) currently support 'none' include...

source-list (allows 'none')
	base-uri
	child-src
	connect-src
	default-src
	font-src
	form-action
	frame-ancestors
	frame-src
	img-src
	manifest-src
	media-src
	object-src
	script-src
	style-src

other (allows 'none')
	referrer

other (not 'none')
	reflected-xss
	sandbox
	report-uri
	plugin-types
Received on Thursday, 8 January 2015 14:40:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC