W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Plugin data (was Re: Comments on Mixed Content)

From: Mike West <mkwst@google.com>
Date: Fri, 16 Jan 2015 06:22:57 +0100
Message-ID: <CAKXHy=fYNx0f_zvSapuVP-UGiCuCvoPXy8Kv9JUb_WbnYZ+fZw@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 15, 2015 at 11:39 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:

>  Pulling out the section on plugin data.  Right now, the spec treats
> subrequests initiated by plugins as optionally blockable.

The spec actually considers them "blockable", similar to XHR (see
plugin data requests should be tagged with a request context of "plugin",
which isn't listed as one of the optionally blockable contexts).

> Such requests might be for script subresources or they might be for image
> subresources, but either way they are categorized as optionally blockable.
> Since the plugin is the one requesting the resource, it is hard for the
> user agent to tell if the request is for content that should be
> blockable[1].  In order to avoid blocking optionally blockable content,
> user agents have categorized this as optionally blockable even though some
> of the content warrants blocking.

I don't have a solid timeline yet (waiting on numbers), but Chrome's intent
is to begin blocking all insecure plugin requests At Some Point In The
Relatively Near Future™. We can do this for PPAPI, as it uses our network
stack. We can't do it for NPAPI, but we're addressing that in other ways.

> As Mike has suggested below, should we add requirements for plugins?  We
> could add text that says plugins must not request blockable content in a
> secure context.

I'm happy to add some text somewhere to that effect. It's not clear to me
that plugin vendors will particularly care about being compliant, but we
can ask nicely. :)

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 16 January 2015 05:23:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC