W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

RE: CSP violations introduced by Addons / Extensions

From: Hill, Brad <bhill@paypal-inc.com>
Date: Wed, 19 Dec 2012 01:01:15 +0000
To: Mike West <mkwst@google.com>, Ingo Chao <ichaocssd@googlemail.com>
CC: Dan Veditz <dveditz@mozilla.com>, Eduardo' Vela <evn@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E307A4C@DEN-EXDDA-S12.corp.ebay.com>
Ingo,

 I've created (and closed) ISSUE-41 (https://www.w3.org/2011/webappsec/track/issues/41) to formally record the WG's decision not to address this use case.

This group follows the priority of constituencies defined in the HTML Design Principles: http://www.w3.org/TR/html-design-principles/

 According to this, the user's right to install any extension (including malicious ones) and for those extensions to modify resources according to the user's wishes trumps a resource's wishes to remain unmodified. 

 If a user needs protection from such extensions, this is part of the contract between the user and browser or operating system, not between the user and a resource owner - which is the layer CSP operates at.

 Please feel free to object or comment further if you feel this resolution is inadequate.

Thank you,

Brad Hill
WebAppSec WG co-chair

---------------
 

From: Mike West [mailto:mkwst@google.com] 
Sent: Monday, October 29, 2012 3:39 AM
To: Ingo Chao
Cc: Dan Veditz; Eduardo' Vela; public-webappsec@w3.org
Subject: Re: CSP violations introduced by Addons / Extensions

While I agree with you that detecting and killing malicious extensions is a good thing, I don't believe that CSP is the proper level of the stack to do that work.

To your specific points:

1. Chrome deals with the risk of malicious extensions inside enterprises by giving IT departments the ability to control extension installation via policy. This seems like a better solution than exposing information about installed extensions to the web at large.

2. I think making detection of extensions like AdBlock simpler than it already is falls well outside the functionality CSP is intended to provide.

In short, user agents quite intentionally give extensions the ability to override the wishes of site authors. Transferring that authority (or some semblance of it) back to the site author seems problematic, even if done with good intentions.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

On Mon, Oct 29, 2012 at 10:23 AM, Ingo Chao <ichaocssd@googlemail.com> wrote:
On Mon, Oct 29, 2012 at 9:42 AM, Mike West <mkwst@google.com> wrote:
> The other side of that concern is leaking information about what extensions
> a user has installed to the site owner. At the moment, that's an explicit
> non-goal of the spec. I'm of the opinion that it should stay that way.
>
> What is the privacy impact that you're worried about? I'm not sure I
> understand the use-case.
>
1 An attacker who knows that a company uses addons (e.g. through
inspection of the tracking pixels) may craft a special "update" to the
addon and may try to distribute it to employees who are in charge of
web analytics. Such an add-on may silently compromise the security of
the company.

2 Users may install "useful" addons that, apart from phoning home,
replace advertisements/other content in popular webpages. A CSP that
informs the site owner about such interactions of the addon with the
page could lead to certain actions. Without the CSP, the site owner
will never know what happens.

Currently, our security measure is to rely on the user's trust in the
creator of the add-on.

Ingo
Received on Wednesday, 19 December 2012 01:01:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 19 December 2012 01:01:46 GMT