CSP 1.1: Changing 'plugin-types' behavior to strictly enforce content types.
authorMike West <mkwst@google.com>
Sun, 26 Aug 2012 16:43:51 +0200
changeset 1505b353a8ac072
parent 149 393a53f308ba
child 151 9e865ab225e3
CSP 1.1: Changing 'plugin-types' behavior to strictly enforce content types.

As proposed on the list[1], this patch changes the specification to require
that authors making use of the 'plugin-types' directive explicitly declare the
expected media type of resources loaded via 'object' and 'embed' elements. If
a 'type' attribute isn't present, or its value doesn't match the content type of
the loaded resource, then user agents must reject the resource, and should
display fallback content.

This new behavior is experimentally implemented in WebKit[2].

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2012Aug/0000.html
[2]: http://webk.it/91919
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Sat Aug 18 11:02:21 2012 +0200
     1.2 +++ b/csp-specification.dev.html	Sun Aug 26 16:43:51 2012 +0200
     1.3 @@ -1477,19 +1477,42 @@
     1.4          <a href="#parse-a-media-type-list">parsing the <code>plugin-types</code>
     1.5          directive's value as a media type list</a></p>
     1.6  
     1.7 -        <p>When enforcing the <code>plugin-types</code> directive:</p>
     1.8 +        <p>Whenever the user agent would instantiate a <a
     1.9 +        href="http://www.whatwg.org/specs/web-apps/current-work/#plugin">plugin</a>
    1.10 +        to handle <var>resource</var> while enforcing the
    1.11 +        <code>plugin-types</code> directive, the user agent MUST instead act as
    1.12 +        though the plugin reported an error if any of the following conditions
    1.13 +        hold:</p>
    1.14 +
    1.15          <ul>
    1.16 -            <li>Whenever the user agent would instantiate a <a
    1.17 -            href="http://www.whatwg.org/specs/web-apps/current-work/#plugin">plugin</a>
    1.18 -            for the protected resource to handle a resource whose media type
    1.19 -            does not <a href="#dfn-matches-a-media-type-list">match</a> the list
    1.20 -            of <a href="#dfn-allowed-plugin-types">allowed plugin types</a>,
    1.21 -            the user agent MUST instead act as though the plugin reported an
    1.22 -            error (which will cause the user agent to display the <a
    1.23 -            href="http://www.whatwg.org/specs/web-apps/current-work/#fallback-content">fallback
    1.24 -            content</a>).</li>
    1.25 +            <li>The plugin is embedded into the protected resource via an
    1.26 +            <code>object</code> or <code>embed</code> element that does not
    1.27 +            explicitly declare a <a
    1.28 +            href="http://www.whatwg.org/specs/web-apps/current-work/#mime-type">MIME type</a>
    1.29 +            with a <code>type</code> attribute.</li>
    1.30 +
    1.31 +            <li><var>resource</var>'s media type does not <a
    1.32 +            href="#match-a-media-type-list">match</a> the list of <a
    1.33 +            href="#dfn-allowed-plugin-media-types">allowed plugin media
    1.34 +            types</a>.</li>
    1.35 +
    1.36 +            <li>The plugin is embedded into the protected resource via an
    1.37 +            <code>object</code> or <code>embed</code> element, and the media
    1.38 +            type declared in the element's <code>type</code> attribute is not
    1.39 +            a case-insensitive match for the <var>resource</var>'s media
    1.40 +            type.</li>
    1.41 +
    1.42 +            <li>The plugin is embedded into the protected resource via an
    1.43 +            <code>applet</code> element, and <var>resource</var>'s media type
    1.44 +            is not a case-insensitive match for
    1.45 +            <code>application/x-java-applet</code>.</li>
    1.46          </ul>
    1.47  
    1.48 +        <p>Note that in any of these cases, acting as though the plugin reported an error
    1.49 +        will cause the user agent to display the <a
    1.50 +        href="http://www.whatwg.org/specs/web-apps/current-work/#fallback-content">fallback
    1.51 +        content</a>.</p>
    1.52 +
    1.53          <section class="informative">
    1.54            <h5>Usage</h5>
    1.55            <p>The <code>plugin-types</code> directive whitelists a certain set
    1.56 @@ -1509,6 +1532,23 @@
    1.57            <p>Note that wildcards are not accepted in the
    1.58            <code>plugin-types</code> directive. Only the resource types
    1.59            explicitly listed in the directive will be allowed.</p>
    1.60 +      </section>
    1.61 +      <section class="informative">
    1.62 +          <h5>Predeclaration of expected media types</h5>
    1.63 +          <p>Enforcing the <code>plugin-types</code> directive requires that
    1.64 +          <code>object</code> and <code>embed</code> elements declare the
    1.65 +          expected media type of the resource they include via the
    1.66 +          <code>type</code> attribute. If an author expects to load a PDF, she
    1.67 +          could specify this as follows:</p>
    1.68 +          <pre>&lt;object data="<var>resource</var>" type="application/pdf"&gt;&lt;/object&gt;</pre>
    1.69 +          <p>If <var>resource</var> isn't actually a PDF file, it won't
    1.70 +          load. This prevents certain types of attacks that rely on serving
    1.71 +          content that unexpectedly invokes a plugin other than that which the
    1.72 +          author intended.</p>
    1.73 +          <p>Note that <var>resource</var> will not load in this scenario even
    1.74 +          if its media type is otherwise whitelisted: resources will only load
    1.75 +          when their media type is whitelisted <em>and</em> matches the
    1.76 +          declared type in their containing element.</p>
    1.77          </section>
    1.78        </section>
    1.79