W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP3] Allow plugin-types "none"

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 08 Jan 2015 15:57:41 +0000
Message-ID: <CAHQV2KnXP_6j+vEJTq2LhqaQopMtxiqJy-6VE7AFfFNPYWZ=hA@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>, Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I can see how this is confusing, and we really shouldn't expect developers
to know the syntactic differences between source-list and media-type-list,
so maybe user agents could/should provide a more helpful error message?
Something like, "you've set plugin-type to 'none', which is an unknown
value. perhaps you meant to set object-src to 'none'?"

On Thu Jan 08 2015 at 6:43:25 AM Craig Francis <craig@craigfrancis.co.uk>

> On 8 Jan 2015, at 12:49, Mike West <mkwst@google.com> wrote:
> Note that `plugin-types` isn't the same as directives like `default-src`.
> The latter are "source list
> <https://w3c.github.io/webappsec/specs/content-security-policy/#source-list>"
> directives, and generally fall back to `default-src`. `plugin-types` is a "media
> type list
> <https://w3c.github.io/webappsec/specs/content-security-policy/#media-type-list>"
> directive, and does not fall back to `default-src`. For that reason, I
> think the consistency argument isn't particularly persuasive. The two
> directives have different grammars, do different things, and I don't see a
> real issue in making their behaviors distinct.
> If you don't want any restrictions on plugins based on their types, it
> makes sense to me not to include the directive. If you want to ensure that
> you don't have any plugins at all, it makes sense to me to use `object-src
> 'none'`. Having two ways of saying that doesn't seem like a helpful
> direction to go in.
> Fair enough... and even if I did send 'none', all it would do is show a
> warning in the console (and still do as I would expect).
> One other possible argument, 'none' does show the developer of a website
> has considered this directive :-P
> Anyway (and just for my own reference), the list of directives that do (or
> do not) currently support 'none' include...
> source-list (allows 'none')
> base-uri
> child-src
> connect-src
> default-src
> font-src
> form-action
> frame-ancestors
> frame-src
> img-src
> manifest-src
> media-src
> object-src
> script-src
> style-src
> other (allows 'none')
> referrer
> other (not 'none')
> reflected-xss
> sandbox
> report-uri
> plugin-types
Received on Thursday, 8 January 2015 15:58:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC