CSP and blocking all plugin-types?

Skip to first unread message


Dec 5, 2014, 9:01:33 AM12/5/14
to securi...@chromium.org
With the Content Security Policy v2, being introduced in Chrome 40, there is the new directive "plugin-types".


Assuming the website does not use any plugins, what is the correct way to define that?

Content-Security-Policy: default-src 'none'; plugin-types ; ...

Which results in the Google Chrome warning (via reportInvalidPluginTypes):

'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.

Or do you go with the 'none' option used by other directives, such as:

Content-Security-Policy:default-src 'none'; plugin-types 'none'; ...

Invalid plugin type in 'plugin-types' Content Security Policy directive: ''none''.

I should add that this only seems to appear when a page tries to load a plugin (e.g. if you embed an iframe for Vimeo).

Joel Weinberger

Dec 5, 2014, 3:01:03 PM12/5/14
to craig....@gmail.com, security-dev
Hi Craig. The correct way to do this is to use the object-src directive. With object-src, you can declare 'none' which will disallow plugins (objects, embeds, etc.). It's a bit confusing, but plugin-types is only intended to be used if you are allowing some plugins with object-src. Otherwise, it's a nonsensical directive to use (hence why it's invalid to leave it empty or give it the value 'none'). Hope that helps, and let me know if it's unclear!

Craig Francis

Dec 7, 2014, 7:01:12 AM12/7/14
to Joel Weinberger, security-dev
Thanks Joel,

That makes sense... but doesn't the plugin-types directive fall though to nested documents (e.g. iframes)? I've not tested, but I didn't think object-src did?

Also, I'm not sure if you can easily edit or propose edits the to spec, but maybe it could be updated to:

- State what should happen "if no plugin types are allowed" (in this case, noting that the object-src should be 'none', and it, unlike other directives, does not support this keyword).

- And maybe it should be named "object-types", to show its direct relationship to the object-src directive... as while unlikely, we might then add things like img-types :-)

Reply all
Reply to author
0 new messages