- From: Léonie Watson <tink@tink.uk>
- Date: Thu, 30 Aug 2018 10:33:54 +0100
- To: W3C WAI Accessible Platform Architectures <public-apa@w3.org>
Apa, I took an action on the APA call yesterday, to find out whether Content Security Policy (CSP) blocks bookmarklet or not. With thanks to Mike West from the WebAppSec WG, it seems the answer is that it should not. The CSP3 spec has a section on Vendor specific extensions and add-ons [1]. It includes this information: "Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like add-ons, extensions, or bookmarklet. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN]." Mike did note that to some extent it will depend on the browser's implementation of CSP though. For example, it seems that Chrome allows the bookmarklet itself to execute, but might have trouble tracking the activity it injects into the page. Léonie [1] https://w3c.github.io/webappsec-csp/#extensions -- @LeonieWatson @tink@toot.cafe Carpe diem
Received on Thursday, 30 August 2018 09:34:22 UTC