- From: Giorgio Maone <g.maone@informaction.com>
- Date: Wed, 04 Apr 2012 11:38:24 +0200
- To: Adam Barth <w3c@adambarth.com>
- CC: Devdatta Akhawe <dev.akhawe@gmail.com>, public-webappsec@w3.org
On 03/04/2012 03:33, Adam Barth wrote: > On Mon, Apr 2, 2012 at 5:17 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> To me, applications such as browser extensions (e.g., NoScript and >> AdBlock) also count as `web' applications. This falls in the >> "documents loaded by non-HTTP methods." Given the massive popularity >> of these extensions, I would say it is a significant use case >> (certainly not the most common case, but definitely warranting a say) > > Note: Chrome has added support for Content-Security-Policy natively in > its extension system: > > http://code.google.com/chrome/extensions/contentSecurityPolicy.html I suppose this doesn't cover the case of an extension (such as NoScript) which may want to force a CSP policy *on unrelated web pages*, e.g. by inserting a <META> element from a content script. -- G
Received on Wednesday, 4 April 2012 09:39:00 UTC