Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider removing plugin-types #394

Closed
annevk opened this issue May 13, 2019 · 14 comments
Closed

Consider removing plugin-types #394

annevk opened this issue May 13, 2019 · 14 comments

Comments

@annevk
Copy link
Member

annevk commented May 13, 2019

It's only implemented in Chrome and has the same vulnerability as typemustmatch, namely that it can be used for a cross-origin MIME type search. (There's also a number of processing model issues around the handling of MIME types, but they don't matter so much if it's removed.)

@briansmith
Copy link

briansmith commented May 13, 2019

Basically <object> and <embed> themselves need to be deprecated and everybody needs to use object-src 'none'. This is already mostly the case because other browsers don't implement plugin-types. Steering people away from using <object> and <embed> in HTML is whatwg/html#4592.

It's not reasonable to have cases where one must use <object> but then have no way to limit which types of objects are allowed through CSP, because plugins are so dangerous.

This seems like a CSP-EE type control, so maybe moving this to CSP-EE, which has a negotiation mechanism, might make sense.

@Sora2455
Copy link

The only reason I use plugin-types is because Chrome, Edge, and Safari all fire CSP violation events if you set object-src: 'none' and then directly link to a PDF file (I can't remember if you need to set target="_blank" or not). Their built-in PDF viewers use <object> tags, and for some bizzare reason the previous page's CSP still applies to it, violating the object-src directive.

(Firefox's PDF viewer is built in JavaScript using the <canvas> tag, so it isn't a problem).

To avoid the violations, I have to set object-src 'self' on any page that can link to a PDF (which is a lot). To try to patch the giant gaping hole that leaves, I set plugin-types: application/pdf.

If we are going to remove plugin-types, can these bugs be fixed first?

@briansmith
Copy link

@Sora2455 That's useful to know. If you have the energy, I would file bug reports with the browsers directly and link to them from here.

@Sora2455
Copy link

I tried to produce a reduced test case, only I couldn't reproduce my error. I combed through my CSP logs more carefully, and now I actually think it's just Safari that has the bug (the Edge and Chrome violations appear to be because of Ext.net usage).

So now I have a reduced test case, but not access to a Safari browser to test it in. Bummer.

This page claims that setting rel="noreferrer" fixes the issue, so I'll try that and let you know if I stop getting Safari CSP violations.

@lbherrera
Copy link

I think @sirdarckcat and @terjanq looked into plugin-types for cross-origin MIME type search and the conclusion was that it was not possible to use it to do so. I did some tests and CSP appears to block the load of the resource only if the type attribute doesn't match the directive. It doesn't seem to take into consideration the actual mime type of the cross-origin resource (testcase).

@annevk
Copy link
Member Author

annevk commented May 21, 2019

Okay, so that means that the one implementation of this feature is also non-compliant. That even more strongly suggests it ought to be removed.

@mikewest
Copy link
Member

  1. It surprises me that no other browser shipped plugin-types. I'm pretty sure I implemented it in WebKit, for example. Weird.

  2. Chrome's behavior is a little more complicated than @lbherrera suggests, but @annevk is correct that it doesn't match the spec. Basically, we check the type attribute against the CSP declaration, and then rely on the plugin infrastructure to do the enforcement (similar conceptually to the way the SRI integration works). If you replace application/json in your example with application/pdf or application/x-shockwave-flash, you should see blocking behavior (you won't see it on jsbin because of sandbox, but you will see it if you self-host the file somewhere).

The spec should certainly line up with what vendors are doing, and I'm willing to be convinced that there's no value to the header at all, but I'm loath to just remove it, as there are absolutely sites out there that lock themselves down to only the PDF plugin because of Chrome's implementation details.

At a glance, 10,190 response's headers in HTTP Archive contain both the strings plugin-types and application/pdf. I haven't dug into that number at all to see if any are actually valid policies, but it's not clear to me that there's no value here in the form Chrome's shipping.

@Sora2455
Copy link

I haven't encountered my error again after implementing rel="norefferer", though I did find a tweet from a Google Engineer who encountered my bug in Chrome: https://twitter.com/PhilippeDeRyck/status/811448160975552512

@annevk
Copy link
Member Author

annevk commented Jan 12, 2021

@mikewest is there still value now that PDF is the sole "plugin"? But also, unless other implementers adopt this I don't think it has passed the test of belonging in a standard.

@mikewest
Copy link
Member

On the "other implementers" point, it does something in WebKit (see HTMLPluginImageElement::canLoadPluginContent for instance). It doesn't look to do the same things it does in Chrome, of course, which is a good argument in favor of changing the status quo.

Given that plugins are dead (huzzah!), I agree that it makes sense to remove the directive both from the spec and from implementations (though possibly keeping some special devtools behavior for the plugin-types directive so we let developers know what's going on). I think I can volunteer @antosart to do that in Chromium. He might be interested in doing the spec work as well? Removing plugin-types would let us get rid of a few pieces of infrastructure that only it depends upon (media-type-list, as well as the plugin hook in HTML).

It's also worth thinking about object-src, which I think we need to keep around as long as we keep <object> and <embed>, but which we'd probably want to start thinking of as a narrower form of frame-src as we shift those elements towards frame's behavior?

@annevk
Copy link
Member Author

annevk commented Jan 15, 2021

Yeah, that would be good.

antosart pushed a commit to antosart/webappsec-csp that referenced this issue Jan 15, 2021
This change removes the plugin-types directive and related algorithms.
Cf. w3c#394 for background
antosart pushed a commit to antosart/webappsec-csp that referenced this issue Jan 15, 2021
This change removes the plugin-types directive and related algorithms.
Cf. w3c#394 for background
antosart pushed a commit to antosart/webappsec-csp that referenced this issue Jan 15, 2021
This change removes the plugin-types directive and related algorithms.
Cf. w3c#394 for background
antosart added a commit that referenced this issue Feb 19, 2021
This change removes the plugin-types directive and related algorithms.
Cf. #394 for background
@sideshowbarker
Copy link
Contributor

@antosart Now that e9895ed is merged, can we close this issue?

sideshowbarker added a commit to mdn/content that referenced this issue Feb 24, 2021
w3c/webappsec-csp#394 completely removed the
plugin-types directive from the CSP spec. So it’s now deprecated and no
longer part of any current spec.
@antosart
Copy link
Member

Yes, I forgot to close this.

@sideshowbarker
Copy link
Contributor

Yes, I forgot to close this.

Cheers - thanks

sideshowbarker added a commit to w3c/browser-compat-data that referenced this issue Feb 24, 2021
w3c/webappsec-csp@e9895ed
(w3c/webappsec-csp#394) completely removed the
plugin-types directive from the CSP spec. So this patch marks it
deprecated:true and standard_track:false
sideshowbarker added a commit to w3c/browser-compat-data that referenced this issue Feb 24, 2021
w3c/webappsec-csp@e9895ed
(w3c/webappsec-csp#394) completely removed the
plugin-types directive from the CSP spec. So this patch marks it
deprecated:true and standard_track:false.
mirunacurtean pushed a commit to mdn/content that referenced this issue Feb 24, 2021
* Push the “fixable flaws” button

* Drop CSP plugin-types spec reference & deprecate

w3c/webappsec-csp#394 completely removed the
plugin-types directive from the CSP spec. So it’s now deprecated and no
longer part of any current spec.
Elchi3 pushed a commit to mdn/browser-compat-data that referenced this issue Feb 24, 2021
* Deprecate CSP plugin-types directive

w3c/webappsec-csp@e9895ed
(w3c/webappsec-csp#394) completely removed the
plugin-types directive from the CSP spec. So this patch marks it
deprecated:true and standard_track:false.

* Remove Firefox bug link for CSP plugin-types
bradbishop pushed a commit to openbmc/bmcweb that referenced this issue Mar 21, 2022
The HTTP Content-Security-Policy (CSP) plugin-types directive has been
removed from the specification and is not supported by most browsers.
Chrome browser suggests to specify "object-src 'none'" instead to block
plugins, so replace it with that directive.

Refer w3c/webappsec-csp#394 for details about
this change.

Tested:
* In Chrome 99.0.4844.74, it no longer gives errors about CSP
  plugin-types directive.
* Checked neiter <embed>, <object> or <applet> tags are used in eiter
  phosphor-webui or webui-vue.
* Using webui-vue, KVM and SOL Console works.

Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c
Signed-off-by: Jiaqing Zhao <[email protected]>
gtmills pushed a commit to gtmills/bmcweb that referenced this issue Jul 13, 2022
The HTTP Content-Security-Policy (CSP) plugin-types directive has been
removed from the specification and is not supported by most browsers.
Chrome browser suggests to specify "object-src 'none'" instead to block
plugins, so replace it with that directive.

Refer w3c/webappsec-csp#394 for details about
this change.

Tested:
* In Chrome 99.0.4844.74, it no longer gives errors about CSP
  plugin-types directive.
* Checked neiter <embed>, <object> or <applet> tags are used in eiter
  phosphor-webui or webui-vue.
* Using webui-vue, KVM and SOL Console works.

Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c
Signed-off-by: Jiaqing Zhao <[email protected]>
rfrandse pushed a commit to ibm-openbmc/bmcweb that referenced this issue Jul 14, 2022
The HTTP Content-Security-Policy (CSP) plugin-types directive has been
removed from the specification and is not supported by most browsers.
Chrome browser suggests to specify "object-src 'none'" instead to block
plugins, so replace it with that directive.

Refer w3c/webappsec-csp#394 for details about
this change.

Tested:
* In Chrome 99.0.4844.74, it no longer gives errors about CSP
  plugin-types directive.
* Checked neiter <embed>, <object> or <applet> tags are used in eiter
  phosphor-webui or webui-vue.
* Using webui-vue, KVM and SOL Console works.

Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c
Signed-off-by: Jiaqing Zhao <[email protected]>

Co-authored-by: Jiaqing Zhao <[email protected]>
ryandel8834 added a commit to ryandel8834/WebAppSec-CSP that referenced this issue Aug 13, 2022
This change removes the plugin-types directive and related algorithms.
Cf. w3c/webappsec-csp#394 for background
gtmills pushed a commit to gtmills/bmcweb that referenced this issue Dec 12, 2022
The HTTP Content-Security-Policy (CSP) plugin-types directive has been
removed from the specification and is not supported by most browsers.
Chrome browser suggests to specify "object-src 'none'" instead to block
plugins, so replace it with that directive.

Refer w3c/webappsec-csp#394 for details about
this change.

Tested:
* In Chrome 99.0.4844.74, it no longer gives errors about CSP
  plugin-types directive.
* Checked neiter <embed>, <object> or <applet> tags are used in eiter
  phosphor-webui or webui-vue.
* Using webui-vue, KVM and SOL Console works.

Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c
Signed-off-by: Jiaqing Zhao <[email protected]>
barhenthv added a commit to barhenthv/content that referenced this issue Aug 2, 2024
* Push the “fixable flaws” button

* Drop CSP plugin-types spec reference & deprecate

w3c/webappsec-csp#394 completely removed the
plugin-types directive from the CSP spec. So it’s now deprecated and no
longer part of any current spec.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants