CSP and blocking all plugin-types?

881 views
Skip to first unread message

craig....@gmail.com

unread,
Dec 5, 2014, 9:01:33 AM12/5/14
to securi...@chromium.org
With the Content Security Policy v2, being introduced in Chrome 40, there is the new directive "plugin-types".

http://www.w3.org/TR/CSP2/#directive-plugin-types

Assuming the website does not use any plugins, what is the correct way to define that?

Content-Security-Policy: default-src 'none'; plugin-types ; ...

Which results in the Google Chrome warning (via reportInvalidPluginTypes):

'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.

Or do you go with the 'none' option used by other directives, such as:

Content-Security-Policy:default-src 'none'; plugin-types 'none'; ...

Invalid plugin type in 'plugin-types' Content Security Policy directive: ''none''.

I should add that this only seems to appear when a page tries to load a plugin (e.g. if you embed an iframe for Vimeo).

Joel Weinberger

unread,
Dec 5, 2014, 3:01:03 PM12/5/14
to craig....@gmail.com, security-dev
Hi Craig. The correct way to do this is to use the object-src directive. With object-src, you can declare 'none' which will disallow plugins (objects, embeds, etc.). It's a bit confusing, but plugin-types is only intended to be used if you are allowing some plugins with object-src. Otherwise, it's a nonsensical directive to use (hence why it's invalid to leave it empty or give it the value 'none'). Hope that helps, and let me know if it's unclear!
--Joel

Craig Francis

unread,
Dec 7, 2014, 7:01:12 AM12/7/14
to Joel Weinberger, security-dev
Thanks Joel,

That makes sense... but doesn't the plugin-types directive fall though to nested documents (e.g. iframes)? I've not tested, but I didn't think object-src did?

Also, I'm not sure if you can easily edit or propose edits the to spec, but maybe it could be updated to:

- State what should happen "if no plugin types are allowed" (in this case, noting that the object-src should be 'none', and it, unlike other directives, does not support this keyword).

- And maybe it should be named "object-types", to show its direct relationship to the object-src directive... as while unlikely, we might then add things like img-types :-)

Craig
Reply all
Reply to author
Forward
0 new messages