W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP violations introduced by Addons / Extensions

From: Mike West <mkwst@google.com>
Date: Mon, 29 Oct 2012 09:42:44 +0100
Message-ID: <CAKXHy=eSTgNoW7PT9dJX+qjKa0JeSpNoeG-a9u7y0Kg8oWrcWg@mail.gmail.com>
To: Ingo Chao <ichaocssd@googlemail.com>
Cc: Dan Veditz <dveditz@mozilla.com>, "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
The other side of that concern is leaking information about what extensions
a user has installed to the site owner. At the moment, that's an explicit
non-goal of the spec. I'm of the opinion that it should stay that way.

What is the privacy impact that you're worried about? I'm not sure I
understand the use-case.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Mon, Oct 29, 2012 at 9:41 AM, Ingo Chao <ichaocssd@googlemail.com> wrote:

> On Sat, Oct 27, 2012 at 12:37 AM, Dan Veditz <dveditz@mozilla.com> wrote:
> > On 10/25/12 12:24 AM, Ingo Chao wrote:
> >>
> >> Without the violation report for extensions/addons, monitoring loses
> >> the chance to highlight risks coming from injected scripts.
> >
> >
> > You mean you, as a site author, want to be informed when an extension has
> > injected content whether the extension wants to be identified or not?
> That's
> > the exact opposite of what Fred Andrews was requesting.
> >
> > -Dan Veditz
>
> Yes. I am more concerned about the impact on privacy that an add-on may
> create.
>
> Ingo
>
Received on Monday, 29 October 2012 08:43:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 29 October 2012 08:43:33 GMT