W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2012

Re: [webappsec] CSP META tag support - keep or remove?

From: Giorgio Maone <g.maone@informaction.com>
Date: Thu, 05 Apr 2012 11:02:03 +0200
Message-ID: <4F7D5F8B.3090900@informaction.com>
To: Adam Barth <w3c@adambarth.com>
CC: Devdatta Akhawe <dev.akhawe@gmail.com>, public-webappsec@w3.org
On 05/04/2012 02:41, Adam Barth wrote:
> On Wed, Apr 4, 2012 at 2:38 AM, Giorgio Maone
<g.maone@informaction.com> wrote:
>> On 03/04/2012 03:33, Adam Barth wrote:
>>> Note: Chrome has added support for Content-Security-Policy natively in
>>> its extension system:
>>>
>>> http://code.google.com/chrome/extensions/contentSecurityPolicy.html
>>
>> I suppose this doesn't cover the case of an extension (such as NoScript)
>> which may want to force a CSP policy *on unrelated web pages*, e.g. by
>> inserting a <META> element from a content script.
>
> Yeah, it doesn't.  Have you had much success doing that?  I would
> expect it to be tricky.
>
> Adam

The trickiest bit for a Chrome extension content script to do *anything*
time sensitive on a web page is that, albeit your script does run before
the page start to be rendered/executed, thanks to Chromium's
multi-processing architecture which doesn't allow for blocking IPC
(different from Mozilla's Electrolysis which allows the parent chrome
process to block the content), you generally cannot access any global
configuration and thus know *what* to do in time. That's one of the
reasons, if not the main one, why I didn't port NoScript on Chrome yet.
Received on Thursday, 5 April 2012 09:02:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 5 April 2012 09:02:28 GMT