Stop recommending deprecated CSP directive plugin-types in the content repository part of the spec
#865
Labels
clarification
An area where the expected behaviour is understood, but the spec could do with being more explicit
enhancement
A suggestion for a relatively simple improvement to the protocol
Comments
dkasak
added
clarification
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
plugin-typesdirective was removed from CSP, both in the web spec and in Chrome/Chromium. Firefox never implemented this.Previously, a valid use for it was to specify
plugin-types: application/pdfsinceobject-src: 'none'disallowed rendering PDFs in some browsers using the browser's built-in PDF renderer (notably this was the case for Chrome). This is also why we started doing it and recommending it. Supposedly another workaround for this was to addrel="noreferrer"(see: https://secure.phabricator.com/T13112#237527).Since support for this was removed, hopefully this shouldn't be a problem anymore. We should test whether it's still happening. If not, we should just switch to using/recommending
object-src: noneinstead. If it's still happening, we should investigate whether there's another workaround we can use.The text was updated successfully, but these errors were encountered: