Remove deprecated plugin-types CSP directive

.gitignore

@@ -11,3 +11,4 @@ coverage
 pkg
 rdoc
 spec/reports
+vendor/bundle

README.md

@@ -72,7 +72,6 @@ SecureHeaders::Configuration.default do |config|
     media_src: %w(utoob.com),
     object_src: %w('self'),
     sandbox: true, # true and [] will set a maximally restrictive setting
-    plugin_types: %w(application/x-shockwave-flash),
     script_src: %w('self'),
     script_src_elem: %w('self'),
     script_src_attr: %w('self'),

lib/secure_headers/headers/policy_management.rb

@@ -58,15 +58,13 @@ def self.included(base)
     CHILD_SRC = :child_src
     FORM_ACTION = :form_action
     FRAME_ANCESTORS = :frame_ancestors
-    PLUGIN_TYPES = :plugin_types
 
     DIRECTIVES_2_0 = [
       DIRECTIVES_1_0,
       BASE_URI,
       CHILD_SRC,
       FORM_ACTION,
-      FRAME_ANCESTORS,
-      PLUGIN_TYPES
+      FRAME_ANCESTORS
     ].flatten.freeze
 
     # All the directives currently under consideration for CSP level 3.
@@ -128,7 +126,6 @@ def self.included(base)
       MEDIA_SRC                 => :source_list,
       NAVIGATE_TO               => :source_list,
       OBJECT_SRC                => :source_list,
-      PLUGIN_TYPES              => :media_type_list,
       REQUIRE_SRI_FOR           => :require_sri_for_list,
       REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
       REPORT_URI                => :source_list,
@@ -281,7 +278,6 @@ def merge_policy_additions(original, additions)
       def list_directive?(directive)
         source_list?(directive) ||
           sandbox_list?(directive) ||
-          media_type_list?(directive) ||
           require_sri_for_list?(directive) ||
           require_trusted_types_for_list?(directive)
       end
@@ -313,10 +309,6 @@ def sandbox_list?(directive)
         DIRECTIVE_VALUE_TYPES[directive] == :sandbox_list
       end
 
-      def media_type_list?(directive)
-        DIRECTIVE_VALUE_TYPES[directive] == :media_type_list
-      end
-
       def require_sri_for_list?(directive)
         DIRECTIVE_VALUE_TYPES[directive] == :require_sri_for_list
       end
@@ -338,8 +330,6 @@ def validate_directive!(directive, value)
           end
         when :sandbox_list
           validate_sandbox_expression!(directive, value)
-        when :media_type_list
-          validate_media_type_expression!(directive, value)
         when :require_sri_for_list
           validate_require_sri_source_expression!(directive, value)
         when :require_trusted_types_for_list
@@ -364,20 +354,6 @@ def validate_sandbox_expression!(directive, sandbox_token_expression)
         end
       end
 
-      # Private: validates that a media type expression:
-      # 1. is an array of strings
-      # 2. each element is of the form type/subtype
-      def validate_media_type_expression!(directive, media_type_expression)
-        ensure_array_of_strings!(directive, media_type_expression)
-        valid = media_type_expression.compact.all? do |v|
-          # All media types are of the form: <type from RFC 2045> "/" <subtype from RFC 2045>.
-          v =~ /\A.+\/.+\z/
-        end
-        if !valid
-          raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of valid media types (ex. application/pdf)")
-        end
-      end
-
       # Private: validates that a require sri for expression:
       # 1. is an array of strings
       # 2. is a subset of ["string", "style"]

spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -41,7 +41,6 @@ module SecureHeaders
           media_src: %w(utoob.com),
           navigate_to: %w(netscape.com),
           object_src: %w('self'),
-          plugin_types: %w(application/x-shockwave-flash),
           prefetch_src: %w(fetch.com),
           require_sri_for: %w(script style),
           require_trusted_types_for: %w('script'),
@@ -146,18 +145,6 @@ module SecureHeaders
         end.to_not raise_error
       end
 
-      it "rejects anything not of the form type/subtype as a plugin-type value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["steve"])))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "accepts anything of the form type/subtype as a plugin-type value " do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
-        end.to_not raise_error
-      end
-
       it "doesn't allow report_only to be set in a non-report-only config" do
         expect do
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: true)))