- From: Brian Smith <brian@briansmith.org>
- Date: Sun, 3 Aug 2014 20:17:04 -0700
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Philip Constantinou <constantinou@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>
On Sun, Aug 3, 2014 at 4:28 PM, Brad Hill <hillbrad@gmail.com> wrote: > But I do think there are also two issues here that we can and > perhaps should decompose: extensions/plugins versus bookmarklets > > Extensions and plugins are by their nature proprietary at this time. > I think it is likely that user agents will find a way to allow them to > work with Content Security Policy, but it is unlikely that a) they > will do so by simply allowing direct modification of the DOM with > injected script or b) that whatever mechanisms are employed will be > consistent across browsers, as the architectures of extension/plugin > technologies are user-agent specific. The differences between the > internal architectures of Firefox and Chrome plugins, for example, are > profound, and neither is within the scope of the W3C. I think it is likely that the web platform may need new features to allow extensions to inject things into pages safely. Or, more likely, the web platform may need new features to allow extensions to provide the *illusion* of doing so, so that it can be safe. But, I also think that workable proposals for doing so will come from the extension development community, not from web browser makers, due to differences in priorities. As long as extension developers keep insisting that extension-injected script tags should somehow "just work," we are unlikely to make progress. > Bookmarklets are a slightly different case because a big part of > their value proposition is that they are "just javascript" and work in > a relatively uniform manner across all browsers. Bookmarklets should be banished from the internet. They are a huge security risk because they lack an update mechanism for security updates, which is a fundamental requirement for any client-side code. All bookmarklets should be replaced by extensions, or by safe declarative things like the MSIE "accelerators." With this in mind, it would be totally reasonable for the CSP specification to say that browsers MUST NOT allow bookmarklets to violate CSP directives. The only improvement that browser makers should make to improve bookmarlet support is to create tools to help migrate bookmarklets to extensions. > Maybe we need a new Fetch context > (http://fetch.spec.whatwg.org/#requests) for activating a bookmark > that is more specific than "internal"? No, please. Cheers, Brian
Received on Monday, 4 August 2014 03:17:31 UTC