Re: [webappsec] CSP META tag support - keep or remove?

On 03/04/2012 03:33, Adam Barth wrote:
> On Mon, Apr 2, 2012 at 5:17 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> To me, applications such as browser extensions (e.g., NoScript and
>> AdBlock) also count as `web' applications. This falls in the
>> "documents loaded by non-HTTP methods." Given the massive popularity
>> of these extensions, I would say it is a significant use case
>> (certainly not the most common case, but definitely warranting a say)
> 
> Note: Chrome has added support for Content-Security-Policy natively in
> its extension system:
> 
> http://code.google.com/chrome/extensions/contentSecurityPolicy.html

I suppose this doesn't cover the case of an extension (such as NoScript)
which may want to force a CSP policy *on unrelated web pages*, e.g. by
inserting a <META> element from a content script.

-- G

Received on Wednesday, 4 April 2012 09:39:00 UTC