CSP and blocking all plugin-types?

[craig....@gmail.com]

With the Content Security Policy v2, being introduced in Chrome 40, there is the new directive "plugin-types".

http://www.w3.org/TR/CSP2/#directive-plugin-types

Assuming the website does not use any plugins, what is the correct way to define that?

Content-Security-Policy: default-src 'none'; plugin-types ; ...

Which results in the Google Chrome warning (via reportInvalidPluginTypes):

'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.

Or do you go with the 'none' option used by other directives, such as:

Content-Security-Policy:default-src 'none'; plugin-types 'none'; ...

Invalid plugin type in 'plugin-types' Content Security Policy directive: ''none''.

I should add that this only seems to appear when a page tries to load a plugin (e.g. if you embed an iframe for Vimeo).

[Joel Weinberger]

Hi Craig. The correct way to do this is to use the object-src directive. With object-src, you can declare 'none' which will disallow plugins (objects, embeds, etc.). It's a bit confusing, but plugin-types is only intended to be used if you are allowing some plugins with object-src. Otherwise, it's a nonsensical directive to use (hence why it's invalid to leave it empty or give it the value 'none'). Hope that helps, and let me know if it's unclear!

--Joel

[Craig Francis]

Thanks Joel,

That makes sense... but doesn't the plugin-types directive fall though to nested documents (e.g. iframes)? I've not tested, but I didn't think object-src did?

Also, I'm not sure if you can easily edit or propose edits the to spec, but maybe it could be updated to:

- State what should happen "if no plugin types are allowed" (in this case, noting that the object-src should be 'none', and it, unlike other directives, does not support this keyword).

- And maybe it should be named "object-types", to show its direct relationship to the object-src directive... as while unlikely, we might then add things like img-types :-)

Craig