W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2012

Re: [webappsec] CSP META tag support - keep or remove?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 4 Apr 2012 17:41:08 -0700
Message-ID: <CAJE5ia8k0=XRUcs7UaHhBsbcgkovVxU=V_a=-fQUTK-BB=6prw@mail.gmail.com>
To: Giorgio Maone <g.maone@informaction.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, public-webappsec@w3.org
On Wed, Apr 4, 2012 at 2:38 AM, Giorgio Maone <g.maone@informaction.com> wrote:
> On 03/04/2012 03:33, Adam Barth wrote:
>> On Mon, Apr 2, 2012 at 5:17 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> To me, applications such as browser extensions (e.g., NoScript and
>>> AdBlock) also count as `web' applications. This falls in the
>>> "documents loaded by non-HTTP methods." Given the massive popularity
>>> of these extensions, I would say it is a significant use case
>>> (certainly not the most common case, but definitely warranting a say)
>>
>> Note: Chrome has added support for Content-Security-Policy natively in
>> its extension system:
>>
>> http://code.google.com/chrome/extensions/contentSecurityPolicy.html
>
> I suppose this doesn't cover the case of an extension (such as NoScript)
> which may want to force a CSP policy *on unrelated web pages*, e.g. by
> inserting a <META> element from a content script.

Yeah, it doesn't.  Have you had much success doing that?  I would
expect it to be tricky.

Adam
Received on Thursday, 5 April 2012 00:42:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 5 April 2012 00:42:09 GMT