The `plugin-types` directive, as currently implemented, enforces a strict requirement that all plugin types be explicitly declared in a protected resource. If a developer doesn't include an explicit `type` attribute on her `object` or `embed` elements, the `plugin-types` directive will block it. This isn't clear from the current error message. I'd like to add an additional line to the error in the case where a plugin is blocked due to a lack of an explicit declaration.
Created attachment 159302 [details] Patch
Comment on attachment 159302 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=159302&action=review > Source/WebCore/page/ContentSecurityPolicy.cpp:866 > + message = message + "\nWhen enforcing media type restrictions via CSP, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').\n"; CSP -> Content-Security-Policy
Comment on attachment 159302 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=159302&action=review >> Source/WebCore/page/ContentSecurityPolicy.cpp:866 >> + message = message + "\nWhen enforcing media type restrictions via CSP, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').\n"; > > CSP -> Content-Security-Policy The whole message is: "Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing media type restrictions via CSP, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>')." Since I spelled it out in the first sentence, it didn't seem necessary in the second. *shrug* I'm happy to expand it if you think it's potentially confusing.
Ok.
Created attachment 159355 [details] Changing the string a bit.
Created attachment 159356 [details] Patch
(In reply to comment #5) > Created an attachment (id=159355) [details] > Changing the string a bit. It's now "CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>')." which avoids the problem of mentioning CSP twice in the error message. :)
Excellent
Comment on attachment 159356 [details] Patch Clearing flags on attachment: 159356 Committed r126047: <http://trac.webkit.org/changeset/126047>
All reviewed patches have been landed. Closing bug.