W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP violations introduced by Addons / Extensions

From: Ingo Chao <ichaocssd@googlemail.com>
Date: Thu, 25 Oct 2012 09:24:51 +0200
Message-ID: <CAAET60X4X7g=uOycXfKJgxNQcthhL69AReAzTuYFi9z3o_vKCg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
Without the violation report for extensions/addons, monitoring loses
the chance to highlight risks coming from injected scripts.

Suggesting to have an optional watch-extensions directive for
Content-Security-Policy-Report-Only, and an corresponding flag in the
report.

Ingo


On Thu, Oct 25, 2012 at 8:54 AM, Mike West <mkwst@google.com> wrote:
> Hi Eduardo! Moving this thread to public-webappsec.
>
> In a nutshell, extensions shouldn't be generating CSP violation reports.
> They currently do, but that's an implementation bug.
>
> I'm working on that in WebKit in
> https://bugs.webkit.org/show_bug.cgi?id=97398, and I believe Mozilla has
> also recognized the need to fix things up in their implementation.
>
> So, things will get better. :)
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 M√ľnchen, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
>
> On Thu, Oct 25, 2012 at 8:22 AM, Eduardo' Vela <evn@google.com> wrote:
>>
>> We've noticed that Extensions and Addons are responsible for CSP reports,
>> and it's hard for us to debug that.
>>
>> It would be nice if there was a flag in the report that specifies if the
>> violation was initiated by an extension or an addon.
>>
>> I understand there are challenges on doing this (eg, an extension can
>> inject a script which later generates a report).
>>
>> Being able to differentiate this problems would assist us to more quickly
>> and efficiently reproduce and triage bugs.
>>
>> This goes hand in hand with the other request (generating a DOM
>> event/error on CSP violations).
>>
>
Received on Thursday, 25 October 2012 07:25:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 25 October 2012 07:25:18 GMT