W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

webappsec-ISSUE-41 (CSP and malicious extensions): CSP does not protect against malicious extensions

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Wed, 19 Dec 2012 00:57:26 +0000
Message-Id: <E1Tl7yQ-0004Tg-53@tibor.w3.org>
To: public-webappsec@w3.org
webappsec-ISSUE-41 (CSP and malicious extensions): CSP does not protect against malicious extensions

http://www.w3.org/2011/webappsec/track/issues/41

Raised by: Brad Hill
On product: 

A question arose on the list whether CSP can and should offer against modifications to resources by potentially malicious extensions.

http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0089.html

This issue tracks the WG's formal resolution of the issue as out of scope.

In particular, this group follows the priority of constituencies defined in the HTML Design Principles: http://www.w3.org/TR/html-design-principles/

According to this, the user's right to install any extension (including malicious ones) and for those extensions to modify resources according to the user's wishes trumps a resource's wishes to remain unmodified.  

If a user needs protection from such extensions, this is part of the contract between the user and browser or operating system, not between the user and a resource owner.
Received on Wednesday, 19 December 2012 00:57:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 19 December 2012 00:57:27 GMT