ISSUE-74: allow explicitly setting the 'none' keyword source for plugin-type directive
plugin-types 'none'
allow explicitly setting the 'none' keyword source for plugin-type directive
- State:
- RAISED
- Product:
- CSP Level 3
- Raised by:
- Brad Hill
- Opened on:
- 2014-12-30
- Description:
- Craig Francis (craig@craigfrancis.co.uk) to public-webappsec
Hi,
In regards to the plugin-types:
http://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types
Google Chrome (v40) complains if you set 'none' for the plugin-types directive (or leave it blank).
https://groups.google.com/a/chromium.org/d/msg/security-dev/UqCSmNUHhNg/XBlvV_E5eowJ
I would personally prefer to have this option, so the default for the website is to always return 'none', then plugin-types can be set as needed (along with the object-src). - Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
No additional notes.
Display change log