From 861a9474d569e88402719ec8b90898cfe22e702d Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Fri, 15 Jan 2021 13:12:44 +0100 Subject: [PATCH] Remove plugin-types This change removes the plugin-types directive and related algorithms. Cf. https://github.com/w3c/webappsec-csp/issues/394 for background --- index.src.html | 130 +------------------------------------------------ 1 file changed, 1 insertion(+), 129 deletions(-) diff --git a/index.src.html b/index.src.html index 6fc2562922..e467a1339c 100644 --- a/index.src.html +++ b/index.src.html @@ -88,8 +88,6 @@

Content Security Policy Level 3

text: target browsing context; url: concept-request-target-browsing-context spec: MIX; urlPrefix: https://www.w3.org/TR/mixed-content/ type: dfn; text: block-all-mixed-content -spec: MIMESNIFF; urlPrefix: https://mimesniff.spec.whatwg.org/ - type: dfn; text: valid MIME type spec: RFC2045; urlPrefix: https://tools.ietf.org/html/rfc2045 type: grammar text: type; url: section-5.1 @@ -1182,13 +1180,7 @@

base URL algorithm to ensure that the <{base/href}> attribute's value is valid. - 12. [[#should-plugin-element-be-blocked-a-priori-by-content-security-policy]] - is called during the processing of <{object}>, <{embed}>, and `applet` - elements to determine whether they may trigger a fetch. - - Note: Fetched plugin resources are handled in [[#should-block-response]]. - - 13. [[#should-block-navigation-request]] is called during the process a + 12. [[#should-block-navigation-request]] is called during the process a navigate fetch algorithm, and [[#should-block-navigation-response]] is called during the process a navigate response algorithm to apply directive's navigation checks, as well as inline checks for @@ -3380,124 +3372,6 @@

2. Return "`Allowed`". -

`plugin-types`

- - The plugin-types directive restricts the set of plugins that - can be embedded into a document by limiting the types of resources which can - be loaded. The directive's syntax is described by the following ABNF grammar: - -
-    directive-name  = "plugin-types"
-    directive-value = media-type-list
-
-    media-type-list = "" / media-type *( required-ascii-whitespace media-type )
-    media-type = type "/" subtype
-    ; type and subtype are defined in RFC 2045
-  
- - If a `plugin-types` directive is present, instantiation of an <{embed}> or - <{object}> element will fail if any of the following conditions hold: - - 1. The element does not explicitly declare a valid MIME type via a - <{embed/type}> attribute. - - 2. The declared type does not match one of the items in the directive's - value. - - 3. The fetched resource does not match the declared type. - - Note: The `plugin-types` grammar allows for an empty directive value in which - case all instantions of <{embed}> and <{object}> will fail. - -
- Given a page with the following Content Security Policy: - -
-      Content-Security-Policy: plugin-types application/pdf
-    
- - Fetches for the following code will all return network errors: - -
-      <!-- No 'type' declaration -->
-      <object data="https://example.com/flash"></object>
-
-      <!-- Non-matching 'type' declaration -->
-      <object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
-
-      <!-- Non-matching resource -->
-      <object data="https://example.com/flash" type="application/pdf"></object>
-    
- - If the page allowed Flash content by sending the following header: - -
-      Content-Security-Policy: plugin-types application/x-shockwave-flash
-    
- - Then the second item above would load successfully: - -
-      <!-- Matching 'type' declaration and resource -->
-      <object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
-    
-
- -
- `plugin-types` Post-Request Check -
- - This directive's post-request check algorithm is as - follows: - - Given a request (|request|), a response (|response|), and a - policy (|policy|): - - 1. Assert: |policy| is unused. - - 2. If |request|'s destination is either "`object`" - or "`embed`": - - 1. Let |type| be the result of extracting a - MIME type from |response|'s header list. - - 2. If |type| is not an ASCII case-insensitive match for any item - in this directive's value, return "`Blocked`". - - 3. Return "`Allowed`". - -
- Should |plugin element| be blocked a priori by Content - Security Policy?: -
- - Given an {{Element}} (|plugin element|), this algorithm returns "`Blocked`" - or "`Allowed`" based on the element's `type` attribute and the policy applied to - its document: - -
    - 1. For each |policy| in |plugin element|'s node document's - CSP list: - - 1. If |policy| contains a directive (|directive|) whose name is - `plugin-types`: - - 1. Let |type| be "`application/x-java-applet`" if |plugin element| - is an `applet` element, or |plugin element|'s `type` attribute's - value if present, or "`null`" otherwise. - - 2. Return "`Blocked`" if any of the following are true: - - 1. |type| is `null`. - - 2. |type| is not a valid MIME type. - - 3. |type| is not an ASCII case-insensitive match for any - item in |directive|'s value. - - 2. Return "`Allowed`". -
-

`sandbox`

The sandbox directive specifies an HTML sandbox policy which the @@ -5204,8 +5078,6 @@

:: This document (see [[#directive-media-src]]) : `object-src` :: This document (see [[#directive-object-src]]) - : `plugin-types` - :: This document (see [[#directive-plugin-types]]) : `report-uri` :: This document (see [[#directive-report-uri]]) : `report-to`