Re: Proposed directive for CSP.next: "no-user-js" from Brandon Sterne on 2011-12-14 (public-web-security@w3.org from December 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 14 Dec 2011 14:32:15 -0800 (PST)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: public-web-security@w3.org
Message-ID: <320887901.37653.1323901935653.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

> From: "Boris Zbarsky" <bzbarsky@MIT.EDU>
> To: public-web-security@w3.org
> Sent: Wednesday, December 14, 2011 2:12:20 PM
> Subject: Re: Proposed directive for CSP.next: "no-user-js"
> 
> Would this affect developer tools?

Yes it would, and an implementation detail that I left out of the proposal would be that we'd probably add a pref to disable this restriction for power users who want to turn off the safety catch.

> Would this affect something like Greasemonkey?

I would argue that it should not affect Greasemonkey for the same reasons that I gave for not applying the restriction to javascript: bookmarks.  I can be persuaded here, though.  It's definitely a grey area.

-Brandon

> -Boris

Received on Wednesday, 14 December 2011 22:32:43 UTC