From e233f8edc2c493dcdbf3f3dfac93d4dd365155eb Mon Sep 17 00:00:00 2001 From: Mike West Date: Mon, 1 Aug 2016 12:40:41 +0200 Subject: [PATCH] Plugin loading hooks. --- index.src.html | 65 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 63 insertions(+), 2 deletions(-) diff --git a/index.src.html b/index.src.html index 71d9642076..69b6d32dcf 100644 --- a/index.src.html +++ b/index.src.html @@ -68,6 +68,7 @@

Content Security Policy Level 3

text: queue a task text: event handler IDL attributes urlPrefix: infrastructure.html + text: valid MIME type text: fire; url: concept-event-fire text: trusted; url: concept-event-trusted text: case-sensitive; url: case-sensitive @@ -132,6 +133,7 @@

Content Security Policy Level 3

text: request; url: concept-request text: response; url: concept-response text: header; url: concept-header + text: extracting a MIME type; url: concept-header-extract-mime-type text: network error; url: concept-network-error for: header text: name; url: concept-header-name @@ -1118,6 +1120,14 @@

base URL algorithm to ensure that the <{base/href}> attribute's value is valid. + 9. [[#should-plugin-element-be-blocked-a-priori-by-content-security-policy]] + is called during the processing of <{object}>, <{embed}>, and <{applet}> + elements to determine whether they may trigger a fetch. + + Note: Fetched plugin resources are handled in [[#should-block-response]]. + + ISSUE: Upstream this to WHATWG and W3C. +

Initialize a `Document`'s `CSP list`

@@ -2960,7 +2970,7 @@

`plugin-types`

If a `plugin-types` directive is present, instantiation of an <{embed}> or <{object}> element will fail if any of the following conditions hold: - 1. The element does not explicitly declare a MIME type via a + 1. The element does not explicitly declare a valid MIME type via a <{embed/type}> attribute. 2. The declared type does not match one of the items in the directive's @@ -3002,7 +3012,58 @@

`plugin-types`

- ISSUE: Define the hooks into HTML's plugin loading algorithms. +
+ `plugin-types` Response Check +
+ + This directive's response check algorithm is as + follows: + + Given a request (|request|), a response (|response|), and a + policy (|policy|): + + 1. If |request|'s destination is either "`object`" + or "`embed`": + + 1. Let |type| be the result of extracting a MIME type from + |response|'s header list. + + 2. If |type| is not an ASCII case-insensitive match for any item + in this directive's value, return "`Blocked`". + + 2. Return "`Allowed`". + +
+ Should |plugin element| be blocked a priori by Content + Security Policy?: +
+ + Given an {{Element}} (|plugin element|), this algorithm returns "`Blocked`" + or "`Allowed`" based on the element's `type` attribute and the policy applied to + its document: + +
    + 1. For each |policy| in |plugin element|'s node document's + CSP list: + + 1. If |policy| contains a directive (|directive|) whose name is + `plugin-types`: + + 1. Let |type| be "`application/x-java-applet`" if |plugin element| + is an <{applet}> element, or |plugin element|'s `type` attribute's + value if present, or "`null`" otherwise. + + 2. Return "`Blocked`" if any of the following are true: + + 1. |type| is `null`. + + 2. |type| is not a valid MIME type. + + 3. |type| is not an ASCII case-insensitive match for any + item in |directive|'s value. + + 2. Return "`Allowed`". +

`sandbox`