Closed Bug 1045899 Opened 10 years ago Closed 3 years ago

Implement CSP 1.1 plugin-types directive

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Platform:
All
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: geekboy, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Whiteboard: [CSP 1.1], [domsecurity-backlog3]) 

Implement plugin-types directive for CSP that restricts what types of plugins can load on a page.

From the draft spec: "The plugin-types directive restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded. ".  See the URL for details.
Priority: -- → P3
Assignee: sstamm → nobody
Whiteboard: [CSP 1.1] → [CSP 1.1], [domsecurity-backlog]
Note: since we're removing support for all plugins except Flash in FF52, and the current sandboxing status-quo is to not allow plugins at all, I'm not sure this is worthwhile. Should we consider WONTFIXing this or even removing this from CSP 1.1?
Whiteboard: [CSP 1.1], [domsecurity-backlog] → [CSP 1.1], [domsecurity-backlog3]
Web developers putting this out will get console messages on every page currently.

If you're not going to support that's okay, but can we at least suppress that?

Given https://github.com/w3c/webappsec-csp/issues/394 and recent removal of typemustmatch I don't think we should implement this.

Chris, that request is probably best logged separately, but if Chrome also removes this the console messages might actually become warranted.

The next release of Firefox will remove plugin support. Is there any use case for this afterwards?

This has been removed from the spec now as well: https://github.com/w3c/webappsec-csp/pull/456

Keywords: dev-doc-needed
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.