RESOLVED FIXED 94432
'plugin-types' CSP warning should include details about explicit type declaration when relevant. 
https://bugs.webkit.org/show_bug.cgi?id=94432
Summary 'plugin-types' CSP warning should include details about explicit type declara...
Mike West
Reported 2012-08-19 12:38:27 PDT
The `plugin-types` directive, as currently implemented, enforces a strict requirement that all plugin types be explicitly declared in a protected resource. If a developer doesn't include an explicit `type` attribute on her `object` or `embed` elements, the `plugin-types` directive will block it. This isn't clear from the current error message. I'd like to add an additional line to the error in the case where a plugin is blocked due to a lack of an explicit declaration.
Attachments
Patch (5.35 KB, patch)
2012-08-19 12:45 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Changing the string a bit. (5.76 KB, patch)
2012-08-20 01:17 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Patch (5.75 KB, patch)
2012-08-20 01:19 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2012-08-19 12:45:00 PDT
Created attachment 159302 [details] Patch
Adam Barth
Comment 2 2012-08-19 13:54:30 PDT
Comment on attachment 159302 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=159302&action=review > Source/WebCore/page/ContentSecurityPolicy.cpp:866 > + message = message + "\nWhen enforcing media type restrictions via CSP, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').\n"; CSP -> Content-Security-Policy
Mike West
Comment 3 2012-08-19 14:03:05 PDT
Comment on attachment 159302 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=159302&action=review >> Source/WebCore/page/ContentSecurityPolicy.cpp:866 >> + message = message + "\nWhen enforcing media type restrictions via CSP, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').\n"; > > CSP -> Content-Security-Policy The whole message is: "Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing media type restrictions via CSP, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>')." Since I spelled it out in the first sentence, it didn't seem necessary in the second. *shrug* I'm happy to expand it if you think it's potentially confusing.
Adam Barth
Comment 4 2012-08-19 14:55:59 PDT
Ok.
Mike West
Comment 5 2012-08-20 01:17:24 PDT
Created attachment 159355 [details] Changing the string a bit.
Mike West
Comment 6 2012-08-20 01:19:50 PDT
Created attachment 159356 [details] Patch
Mike West
Comment 7 2012-08-20 01:20:55 PDT
(In reply to comment #5) > Created an attachment (id=159355) [details] > Changing the string a bit. It's now "CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>')." which avoids the problem of mentioning CSP twice in the error message. :)
Adam Barth
Comment 8 2012-08-20 11:16:18 PDT
Excellent
WebKit Review Bot
Comment 9 2012-08-20 11:33:36 PDT
Comment on attachment 159356 [details] Patch Clearing flags on attachment: 159356 Committed r126047: <http://trac.webkit.org/changeset/126047>
WebKit Review Bot
Comment 10 2012-08-20 11:33:39 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.