W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP violations introduced by Addons / Extensions

From: Mike West <mkwst@google.com>
Date: Mon, 29 Oct 2012 11:38:53 +0100
Message-ID: <CAKXHy=cFoP9jCCLgeatvDZHf3ynrnD5XtcY3yH12ii4L15fQ6Q@mail.gmail.com>
To: Ingo Chao <ichaocssd@googlemail.com>
Cc: Dan Veditz <dveditz@mozilla.com>, "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
While I agree with you that detecting and killing malicious extensions is a
good thing, I don't believe that CSP is the proper level of the stack to do
that work.

To your specific points:

1. Chrome deals with the risk of malicious extensions inside enterprises by
giving IT departments the ability to control extension installation via
policy. This seems like a better solution than exposing information about
installed extensions to the web at large.

2. I think making detection of extensions like AdBlock simpler than it
already is falls well outside the functionality CSP is intended to provide.

In short, user agents quite intentionally give extensions the ability to
override the wishes of site authors. Transferring that authority (or some
semblance of it) back to the site author seems problematic, even if done
with good intentions.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Mon, Oct 29, 2012 at 10:23 AM, Ingo Chao <ichaocssd@googlemail.com>wrote:

> On Mon, Oct 29, 2012 at 9:42 AM, Mike West <mkwst@google.com> wrote:
> > The other side of that concern is leaking information about what
> extensions
> > a user has installed to the site owner. At the moment, that's an explicit
> > non-goal of the spec. I'm of the opinion that it should stay that way.
> >
> > What is the privacy impact that you're worried about? I'm not sure I
> > understand the use-case.
> >
>
> 1 An attacker who knows that a company uses addons (e.g. through
> inspection of the tracking pixels) may craft a special "update" to the
> addon and may try to distribute it to employees who are in charge of
> web analytics. Such an add-on may silently compromise the security of
> the company.
>
> 2 Users may install "useful" addons that, apart from phoning home,
> replace advertisements/other content in popular webpages. A CSP that
> informs the site owner about such interactions of the addon with the
> page could lead to certain actions. Without the CSP, the site owner
> will never know what happens.
>
> Currently, our security measure is to rely on the user's trust in the
> creator of the add-on.
>
> Ingo
>
Received on Monday, 29 October 2012 10:39:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 29 October 2012 10:39:43 GMT