CSP: Give actionnable error for plugin-type empty.

Users wanting to prevent plugins to be used were providing an empty list of plugin type to the 'plugin-types' directive. As a result, they were getting a console error, despite getting the intended behavior. It was not clear to the user what was wrong. Users should use object-src: 'none' instead. This patch reflects this into the error message. Bug: 1111546 Fixed: 1111546 Change-Id: I64a266582e33fa3417293ebfdb2e6bf87e08578e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2584943 Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#836552}

CSP: Give actionnable error for plugin-type empty.
Users wanting to prevent plugins to be used were providing an empty list of plugin type to the 'plugin-types' directive. As a result, they were getting a console error, despite getting the intended behavior. It was not clear to the user what was wrong. Users should use object-src: 'none' instead. This patch reflects this into the error message. Bug: 1111546 Fixed: 1111546 Change-Id: I64a266582e33fa3417293ebfdb2e6bf87e08578e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2584943 Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#836552}
2d6c0690 · arthursonzogni · Chromium LUCI CQ · d3c63c33 · 2d6c0690 · 2d6c0690
Commit 2d6c0690 authored Dec 14, 2020 by arthursonzogni Committed by Chromium LUCI CQ Dec 14, 2020
2 changed files
--- a/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
@@ -1295,21 +1295,23 @@ void ContentSecurityPolicy::ReportDuplicateDirective(const String& name) {
 void ContentSecurityPolicy::ReportInvalidPluginTypes(
    const String& plugin_type) {
  String message;
-  if (plugin_type.IsNull())
+  if (plugin_type.IsNull()) {
    message =
        "'plugin-types' Content Security Policy directive is empty; all "
-        "plugins will be blocked.\n";
+        "plugins will be blocked. To disallow all plugins, the \"object-src "
-  else if (plugin_type == "'none'")
+        "'none'\" directive should be used instead.\n";
+  } else if (plugin_type == "'none'") {
    message =
        "Invalid plugin type in 'plugin-types' Content Security Policy "
        "directive: '" +
        plugin_type +
        "'. Did you mean to set the object-src directive to 'none'?\n";
-  else
+  } else {
    message =
        "Invalid plugin type in 'plugin-types' Content Security Policy "
        "directive: '" +
        plugin_type + "'.\n";
+  }
  LogToConsole(message);
 }

--- a/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt
+++ b/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt
-CONSOLE ERROR: 'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.
+CONSOLE ERROR: 'plugin-types' Content Security Policy directive is empty; all plugins will be blocked. To disallow all plugins, the "object-src 'none'" directive should be used instead.
 CONSOLE ERROR: line 16: Refused to load 'data:application/x-blink-test-plugin,' (MIME type 'application/x-blink-test-plugin') because it violates the following Content Security Policy Directive: 'plugin-types '.
-CONSOLE ERROR: 'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.
+CONSOLE ERROR: 'plugin-types' Content Security Policy directive is empty; all plugins will be blocked. To disallow all plugins, the "object-src 'none'" directive should be used instead.
 CONSOLE ERROR: line 16: Refused to load 'data:application/x-blink-test-plugin,' (MIME type 'application/x-blink-test-plugin') because it violates the following Content Security Policy Directive: 'plugin-types '.