W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP violations introduced by Addons / Extensions

From: Ingo Chao <ichaocssd@googlemail.com>
Date: Mon, 29 Oct 2012 10:23:05 +0100
Message-ID: <CAAET60XzpZpAMu8JNuoWrDwK2EgxnQ2QcM=4HJgLN9hrCDK20Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Dan Veditz <dveditz@mozilla.com>, "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
On Mon, Oct 29, 2012 at 9:42 AM, Mike West <mkwst@google.com> wrote:
> The other side of that concern is leaking information about what extensions
> a user has installed to the site owner. At the moment, that's an explicit
> non-goal of the spec. I'm of the opinion that it should stay that way.
>
> What is the privacy impact that you're worried about? I'm not sure I
> understand the use-case.
>

1 An attacker who knows that a company uses addons (e.g. through
inspection of the tracking pixels) may craft a special "update" to the
addon and may try to distribute it to employees who are in charge of
web analytics. Such an add-on may silently compromise the security of
the company.

2 Users may install "useful" addons that, apart from phoning home,
replace advertisements/other content in popular webpages. A CSP that
informs the site owner about such interactions of the addon with the
page could lead to certain actions. Without the CSP, the site owner
will never know what happens.

Currently, our security measure is to rely on the user's trust in the
creator of the add-on.

Ingo
Received on Monday, 29 October 2012 09:23:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 29 October 2012 09:23:33 GMT