Re: [CSP3] Allow plugin-types "none" from Joel Weinberger on 2015-01-08 (public-webappsec@w3.org from January 2015)

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 08 Jan 2015 15:57:41 +0000
To: Craig Francis <craig@craigfrancis.co.uk>, Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAHQV2KnXP_6j+vEJTq2LhqaQopMtxiqJy-6VE7AFfFNPYWZ=hA@mail.gmail.com>

I can see how this is confusing, and we really shouldn't expect developers
to know the syntactic differences between source-list and media-type-list,
so maybe user agents could/should provide a more helpful error message?
Something like, "you've set plugin-type to 'none', which is an unknown
value. perhaps you meant to set object-src to 'none'?"


On Thu Jan 08 2015 at 6:43:25 AM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> On 8 Jan 2015, at 12:49, Mike West <mkwst@google.com> wrote:
>
>
> Note that `plugin-types` isn't the same as directives like `default-src`.
> The latter are "source list
> <https://w3c.github.io/webappsec/specs/content-security-policy/#source-list>"
> directives, and generally fall back to `default-src`. `plugin-types` is a "media
> type list
> <https://w3c.github.io/webappsec/specs/content-security-policy/#media-type-list>"
> directive, and does not fall back to `default-src`. For that reason, I
> think the consistency argument isn't particularly persuasive. The two
> directives have different grammars, do different things, and I don't see a
> real issue in making their behaviors distinct.
>
> If you don't want any restrictions on plugins based on their types, it
> makes sense to me not to include the directive. If you want to ensure that
> you don't have any plugins at all, it makes sense to me to use `object-src
> 'none'`. Having two ways of saying that doesn't seem like a helpful
> direction to go in.
>
>
>
>
> Fair enough... and even if I did send 'none', all it would do is show a
> warning in the console (and still do as I would expect).
>
> One other possible argument, 'none' does show the developer of a website
> has considered this directive :-P
>
> Anyway (and just for my own reference), the list of directives that do (or
> do not) currently support 'none' include...
>
> source-list (allows 'none')
> base-uri
> child-src
> connect-src
> default-src
> font-src
> form-action
> frame-ancestors
> frame-src
> img-src
> manifest-src
> media-src
> object-src
> script-src
> style-src
>
> other (allows 'none')
> referrer
>
> other (not 'none')
> reflected-xss
> sandbox
> report-uri
> plugin-types
>
>

Received on Thursday, 8 January 2015 15:58:15 UTC