Remove plugin-types #456
Merged
Remove plugin-types #456
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change removes the plugin-types directive and related algorithms. Cf. w3c#394 for background
antosart
force-pushed
the
remove-plugin-types
branch
from
861a947
to
d631d86
Compare
mikewest
reviewed
Jan 15, 2021
There was a problem hiding this comment.
Thanks, this looks pretty reasonable. You'll also want to put up a PR against HTML to remove the references in https://html.spec.whatwg.org/#the-object-element:should-plugin-element-be-blocked-a-priori-by-content-security-policy and https://html.spec.whatwg.org/#the-embed-element:should-plugin-element-be-blocked-a-priori-by-content-security-policy. I'd also like to see a PR to remove the WPT referencing this mechanism (which you could certainly produce through Chromium's Gerrit integration).
Anne/Mozilla seem on board, since they never shipped this mechanism. It'd be a good idea to file a bug against WebKit (and perhaps @johnwilander and/or @cdumez could help us find a reasonable person to CC?).
|
|
||
| <pre dfn-type="grammar" link-type="grammar"> | ||
| directive-name = "plugin-types" | ||
| directive-value = <a>media-type-list</a> |
There was a problem hiding this comment.
This is the only place we use media-type-list. I don't think we need it anywhere else, so let's remove it from the grammar above as well.
There was a problem hiding this comment.
it is removed already (it is defined at line 3397 below)
antosart
pushed a commit
to antosart/html
that referenced
this pull request
Jan 15, 2021
With Flash not being supported anymore, the CSP directive plugin-types has lost its main reason for being and is being removed from the Content Security Policy specification: w3c/webappsec-csp#456 This change removes references to the relative algorithm in the Content Security Policy spec.
antosart
pushed a commit
to antosart/html
that referenced
this pull request
Jan 15, 2021
With Flash not being supported anymore, the CSP directive plugin-types has lost its main reason for being and is being removed from the Content Security Policy specification: w3c/webappsec-csp#456 This change removes references to the relative algorithm in the Content Security Policy spec.
3 tasks
|
Does Content-Security-Policy: plugin-types application/x-shockwave-flashand then checking whether PDFs still display inside This would be worth writing a web platform test for, as well. /cc @annevk. |
In Chrome, this analysis is correct. We render PDF via PDFium, which is implemented via the plugin infrastructure, and we would block the PDF today. After this patch, we would no longer block the load. Firefox never implemented I haven't checked WebKit, other than light manual inspection of their codebase. It would be worth doing so and filing deprecation requests accordingly.
I'm not sure we need a test to verify that a thing that isn't in a spec doesn't have an effect. That's a pretty wide spectrum of things (including, for example |
|
In WHATWG land we do create tests for removed features (usually in some file named "historical") to ensure they do not get accidentally added again. While the risk is low, it seems worth doing here as well, especially if you keep some code around for DevTools. |
antosart
pushed a commit
to antosart/html
that referenced
this pull request
Jan 18, 2021
With Flash not being supported anymore, the CSP directive plugin-types has lost its main reason for being and is being removed from the Content Security Policy specification: w3c/webappsec-csp#456 This change removes references to the relative algorithm in the Content Security Policy spec.
|
+1 to adding tests, especially one along the lines of #456 (comment). That will be a blocker for merging whatwg/html#6292 |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Feb 5, 2021
The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true
domenic
pushed a commit
to whatwg/html
that referenced
this pull request
Feb 5, 2021
With Flash not being supported anymore, the CSP directive plugin-types has lost its main reason for being and is being removed from the Content Security Policy specification: w3c/webappsec-csp#456. This change removes references to the relevant algorithm from the Content Security Policy spec.
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Feb 8, 2021
The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Feb 8, 2021
The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#851760}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Feb 8, 2021
The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#851760}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Feb 12, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Feb 12, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
Feb 16, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500 UltraBlame original commit: 4e4ad3f0b99feaf9b72d23791ccb770a652cca20
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
Feb 16, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500 UltraBlame original commit: d137cd61151f86944a50e788d152c45f3323d3a8
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
Feb 16, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500 UltraBlame original commit: 4e4ad3f0b99feaf9b72d23791ccb770a652cca20
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
Feb 16, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500 UltraBlame original commit: d137cd61151f86944a50e788d152c45f3323d3a8
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Feb 16, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500 UltraBlame original commit: 4e4ad3f0b99feaf9b72d23791ccb770a652cca20
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Feb 16, 2021
…testonly Automatic update from web-platform-tests CSP: Remove 'plugin-types' directive The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#851760} -- wpt-commits: 8959b13684b68186781340c044d9c1b62a388358 wpt-pr: 27500 UltraBlame original commit: d137cd61151f86944a50e788d152c45f3323d3a8
imhele
added a commit
to imhele/html
that referenced
this pull request
Feb 18, 2021
* Editorial: remove redundant "the" * Meta: default branch rename Also correct a broken link. Not even w3.org URLs are that cool. Helps with whatwg/meta#174. * Editorial: clean up calls to "parse a URL" It actually takes a string, so calls should be clear about that. * Review Draft Publication: January 2021 * Simplify <link>s In particular, remove their activation behavior, stop them from matching :link and :visited, and stop suggesting that they be focusable areas. This also includes a slight expansion and rearrangement of the link element's section to make it clearer what hyperlinks created by <link> are meant for, contrasting them to <a> and <area> hyperlinks. Closes whatwg#4831. Closes whatwg#2617. Helps with whatwg#5490. * Meta: remove demos/offline/* (whatwg#6307) These are no longer needed as of e4330d5. * Meta: minor references cleanup Use more HTTPS and drop obsolete HTML Differences reference. * Editorial: anticlockwise → counterclockwise We use en-US these days. Spotted in https://twitter.com/iso2022jp/status/1352601086519955456. * Use :focus-visible in the UA stylesheet See w3c/csswg-drafts#4278. * Editorial: align with WebIDL and Infra * Fix "update a style block" early return The new version matches implementation reality and CSSWG resolution. The algorithm was also inconsistent, as it looked at whether the element was in a shadow tree or in the document tree, but it was only specified to be re-run if the element becomes connected or disconnected. The CSSWG discussed this in w3c/csswg-drafts#3096 (comment) and http://wpt.live/shadow-dom/ShadowRoot-interface.html tests this. This also matches closer the definition of <link rel="stylesheet">, which does use connectedness (though it uses "browsing-context connected", which is a bit different): https://html.spec.whatwg.org/#link-type-stylesheet * Modernize and refactor simple dialogs This contains a small bug fix, in that confirm() and prompt() said "return" in some cases instead of "return false" or "return null" as appropriate. Other notable changes, all editorial, are: * Factoring out repeated "cannot show simple dialogs" steps, which will likely expand over time (see e.g. whatwg#6297). * Separating out and explaining the no-argument overload of alert(). * Passing the document through to the "printing steps", instead of just having them talk about "this Window object". * Meta: add definition markup for MessageEvent * Remove <marquee> events They are only supported by one engine (Gecko). Closes whatwg#2957. * Clarify when microtasks happen * Ignore COEP on non-secure contexts Fixes whatwg#6328. * Editorial: update URL Standard integration * Editorial: only invoke response's location URL once Complements whatwg/fetch#1149. * Track the incumbent settings and active script in Promise callbacks Closes whatwg#5213. * createImageBitmap(): stop clipping sourceRect to source's dimensions It has been found in whatwg#6306 that this was an oversight at the time of its introduction. Current behavior goes against author expectations and no implementer has opposed the change to "no-clip". Tests: web-platform-tests/wpt#27040. Closes whatwg#6306. * Remove CSP plugin-types blocking With Flash not being supported anymore, the CSP directive plugin-types has lost its main reason for being and is being removed from the Content Security Policy specification: w3c/webappsec-csp#456. This change removes references to the relevant algorithm from the Content Security Policy spec. * Meta: set more dfn types A follow-up to: * whatwg#5694 * whatwg#5916 * Editorial: occuring → occurring * Make all plugin-related APIs no-ops Part of whatwg#6003. * Disallow simple dialogs from different-origin domain iframes Closes whatwg#5407. * Revive @@iterator for PluginArray/MimeTypeArray/Plugin @@iterator is implicitly installed by defining an indexed property getter. Since there is no other way to define it exclusively, this restores some methods back to being indexed getters. This fixes an inadvertent observable behavior change in d4f07b8. * Adjust web+ scheme security considerations to account for FTP removal Also, network scheme is now reduced to HTTP(S) scheme. Helps with whatwg#5375, but form submission issue remains. See whatwg/fetch#1166 for context. * Meta: export pause Nobody but XMLHttpRequest take a dependency on this please. You have been warned. Context: whatwg/xhr#311. * Fix typo: ancestor → accessor Fixes whatwg#6374. Co-authored-by: Dominic Farolino <domfarolino@gmail.com> Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Domenic Denicola <d@domenic.me> Co-authored-by: Emilio Cobos Álvarez <emilio@crisal.io> Co-authored-by: Momdo Nakamura <xmomdo@gmail.com> Co-authored-by: Jake Archibald <jaffathecake@gmail.com> Co-authored-by: Yutaka Hirano <yhirano@chromium.org> Co-authored-by: Shu-yu Guo <syg@chromium.org> Co-authored-by: Kaiido <tristan.fraipont@gmail.com> Co-authored-by: Antonio Sartori <anton.sartori@gmail.com> Co-authored-by: Michael[tm] Smith <mike@w3.org> Co-authored-by: Ikko Ashimine <eltociear@gmail.com> Co-authored-by: Carlos IL <carlosjoan91@gmail.com> Co-authored-by: Kagami Sascha Rosylight <saschanaz@outlook.com> Co-authored-by: Simon Pieters <zcorpan@gmail.com>
mikewest
approved these changes
Feb 19, 2021
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
The Content Security Policy directive 'plugin-types' is being removed by the specification (w3c/webappsec-csp#456). This CL removes the code parsing and checking the 'plugin-types' directive from Blink and from the services/network CSP parser. All WP tests for plugin-types are removed, too. When parsing a plugin-types directive, we display a console error message informing that the directive has been removed and that object-src can be used instead. Bug: 1168001 Change-Id: I61420677a0f11f8daf46c473e578d66c932751d1 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2643282 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#851760} GitOrigin-RevId: 8f48b81f329ad794c71d05e85c7f7ca4772bdea4
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change removes the plugin-types directive and related algorithms.
Cf. #394 for background
Preview | Diff