- From: Giorgio Maone <g.maone@informaction.com>
- Date: Thu, 05 Apr 2012 11:02:03 +0200
- To: Adam Barth <w3c@adambarth.com>
- CC: Devdatta Akhawe <dev.akhawe@gmail.com>, public-webappsec@w3.org
On 05/04/2012 02:41, Adam Barth wrote: > On Wed, Apr 4, 2012 at 2:38 AM, Giorgio Maone <g.maone@informaction.com> wrote: >> On 03/04/2012 03:33, Adam Barth wrote: >>> Note: Chrome has added support for Content-Security-Policy natively in >>> its extension system: >>> >>> http://code.google.com/chrome/extensions/contentSecurityPolicy.html >> >> I suppose this doesn't cover the case of an extension (such as NoScript) >> which may want to force a CSP policy *on unrelated web pages*, e.g. by >> inserting a <META> element from a content script. > > Yeah, it doesn't. Have you had much success doing that? I would > expect it to be tricky. > > Adam The trickiest bit for a Chrome extension content script to do *anything* time sensitive on a web page is that, albeit your script does run before the page start to be rendered/executed, thanks to Chromium's multi-processing architecture which doesn't allow for blocking IPC (different from Mozilla's Electrolysis which allows the parent chrome process to block the content), you generally cannot access any global configuration and thus know *what* to do in time. That's one of the reasons, if not the main one, why I didn't port NoScript on Chrome yet.
Received on Thursday, 5 April 2012 09:02:27 UTC