Re: [webappsec] CSP META tag support - keep or remove?

On 05/04/2012 02:41, Adam Barth wrote:
> On Wed, Apr 4, 2012 at 2:38 AM, Giorgio Maone
<> wrote:
>> On 03/04/2012 03:33, Adam Barth wrote:
>>> Note: Chrome has added support for Content-Security-Policy natively in
>>> its extension system:
>> I suppose this doesn't cover the case of an extension (such as NoScript)
>> which may want to force a CSP policy *on unrelated web pages*, e.g. by
>> inserting a <META> element from a content script.
> Yeah, it doesn't.  Have you had much success doing that?  I would
> expect it to be tricky.
> Adam

The trickiest bit for a Chrome extension content script to do *anything*
time sensitive on a web page is that, albeit your script does run before
the page start to be rendered/executed, thanks to Chromium's
multi-processing architecture which doesn't allow for blocking IPC
(different from Mozilla's Electrolysis which allows the parent chrome
process to block the content), you generally cannot access any global
configuration and thus know *what* to do in time. That's one of the
reasons, if not the main one, why I didn't port NoScript on Chrome yet.

Received on Thursday, 5 April 2012 09:02:27 UTC