- From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Wed, 19 Dec 2012 00:57:26 +0000
- To: public-webappsec@w3.org
webappsec-ISSUE-41 (CSP and malicious extensions): CSP does not protect against malicious extensions http://www.w3.org/2011/webappsec/track/issues/41 Raised by: Brad Hill On product: A question arose on the list whether CSP can and should offer against modifications to resources by potentially malicious extensions. http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0089.html This issue tracks the WG's formal resolution of the issue as out of scope. In particular, this group follows the priority of constituencies defined in the HTML Design Principles: http://www.w3.org/TR/html-design-principles/ According to this, the user's right to install any extension (including malicious ones) and for those extensions to modify resources according to the user's wishes trumps a resource's wishes to remain unmodified. If a user needs protection from such extensions, this is part of the contract between the user and browser or operating system, not between the user and a resource owner.
Received on Wednesday, 19 December 2012 00:57:27 UTC