W3C home > Mailing lists > Public > public-apa@w3.org > August 2018

CSP and bookmarklets

From: Léonie Watson <tink@tink.uk>
Date: Thu, 30 Aug 2018 10:33:54 +0100
To: W3C WAI Accessible Platform Architectures <public-apa@w3.org>
Message-ID: <11981fac-09c1-3cc8-d43d-82d9cd718687@tink.uk>

I took an action on the APA call yesterday, to find out whether Content 
Security Policy (CSP) blocks bookmarklet or not. With thanks to Mike 
West from the WebAppSec WG, it seems the answer is that it should not.

The CSP3 spec has a section on Vendor specific extensions and add-ons 
[1]. It includes this information:

"Policy enforced on a resource SHOULD NOT interfere with the operation 
of user-agent features like add-ons, extensions, or bookmarklet. These 
kinds of features generally advance the user’s priority over page 
authors, as espoused in [HTML-DESIGN]."

Mike did note that to some extent it will depend on the browser's 
implementation of CSP though. For example, it seems that Chrome allows 
the bookmarklet itself to execute, but might have trouble tracking the 
activity it injects into the page.

[1] https://w3c.github.io/webappsec-csp/#extensions

@LeonieWatson @tink@toot.cafe Carpe diem
Received on Thursday, 30 August 2018 09:34:22 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 30 August 2018 09:34:22 UTC