On 8 Jan 2015, at 12:49, Mike West <mkwst@google.com> wrote: > > Note that `plugin-types` isn't the same as directives like `default-src`. The latter are "source list" directives, and generally fall back to `default-src`. `plugin-types` is a "media type list" directive, and does not fall back to `default-src`. For that reason, I think the consistency argument isn't particularly persuasive. The two directives have different grammars, do different things, and I don't see a real issue in making their behaviors distinct. > > If you don't want any restrictions on plugins based on their types, it makes sense to me not to include the directive. If you want to ensure that you don't have any plugins at all, it makes sense to me to use `object-src 'none'`. Having two ways of saying that doesn't seem like a helpful direction to go in. Fair enough... and even if I did send 'none', all it would do is show a warning in the console (and still do as I would expect). One other possible argument, 'none' does show the developer of a website has considered this directive :-P Anyway (and just for my own reference), the list of directives that do (or do not) currently support 'none' include... source-list (allows 'none') base-uri child-src connect-src default-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src script-src style-src other (allows 'none') referrer other (not 'none') reflected-xss sandbox report-uri plugin-types
Received on Thursday, 8 January 2015 14:40:50 UTC