audit: no plugins

[igrigorik]

Should we have an audit to discourage use of plugins? E.g. we already list use of Flash as a common mistake in our "mobile friendly documentation"

Some types of videos or content are not playable on mobile devices, such as license-constrained media or experiences that require Flash or other players that are not broadly supported on mobile devices. Unplayable content, when featured on a page of any website can be very frustrating for users.

A "simple" way to ensure that this is the case:

• check that the site's CSP policy sets object-src 'none'
• check that iframes have a sandbox attribute

[samccone]

👍 I like this idea

---

We should think about adding a CSP gatherer, or a CSP audit --- not sure if this will sit ontop of the HTML gatherer or if we can be smarter about it.

[paullewis]

Definitely like this idea. Looking into CSP stuff to see what we can do.

[paullewis]

Okay, so @mikewest says in the longer term we may have https://w3c.github.io/webappsec-csp/api/ to play with, for now I'll roll with checking the headers. Which I think we should be able to do from the existing Network records gather.

[paulirish]

dupe of #3180 now.